Accurate and efficient exploit capture and classification

Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels.However, no easy methods exist to classify these exploits into meaningful categories and to acce...

Full description

Saved in:
Bibliographic Details
Published in:Science China. Information sciences 2017-05, Vol.60 (5), p.189-205, Article 052110
Main Authors: Ding, Yu, Wei, Tao, Xue, Hui, Zhang, Yulong, Zhang, Chao, Han, Xinhui
Format: Article
Language:English
Subjects:
Computer Science
Exploitation
Field tests
Information Systems and Communication Service
Research Paper
Seismographs
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Software exploits, especially zero-day exploits, are major security threats. Every day, security experts discover and collect numerous exploits from honeypots, malware forensics, and underground channels.However, no easy methods exist to classify these exploits into meaningful categories and to accelerate diagnosis as well as detailed analysis. To address this need, we present Seismo Meter, which recognizes both control-flowhijacking, and data-only attacks by combining approximate control-flow integrity, fast dynamic taint analysis and API sandboxing schemes. Once it detects an exploit incident, Seismo Meter generates a succinct data representation, called an exploit skeleton, to characterize the captured exploit. Seismo Meter then classifies the captured exploits into different exploit families by performing distance computing on the extracted skeletons.To evaluate the efficiency of Seismo Meter, we conduct a field test using exploit samples from public exploit databases, such as Metasploit, as well as wild-captured exploits. Our experiments demonstrate that Seismo Meter is a practical system that successfully detects and correctly classifies all these exploit attacks.
ISSN:1674-733X
1869-1919
DOI:10.1007/s11432-016-5521-0