Abstract
This paper describes the design and implementation of DExtor, a datamining-based exploit code detector that protects network services. DExtor operates under the assumption that normal traffic to network services contains only data whereas exploits contain code. The system is first trained with real data containing exploit code and normal traffic. Once it is trained, DExtor is deployed between a web service and its gateway or firewall, where it operates at the application layer to detect and block exploit code in real time. Tests using large volumes of normal and attack traffic demonstrate that DExtor can detect almost all the exploit code with negligible false alarm rates.
Chapter PDF
Similar content being viewed by others
References
R. Chinchani and E. Berg, A fast static analysis approach to detect exploit code inside network flows, Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection, pp. 284-308, 2005.
T. Detristan, T. Ulenspiegel, Y. Malcom and M. von Underduk, Polymorphic shellcode engine using spectrum analysis, Phrack, vol. 11(61),2003.
C. Kruegel, W. Robertson, F. Valeur and G. Vigna, Static disassembly of obfuscated binaries, Proceedings of the Thirteenth USENIX Security Symposium, pp. 255-270, 2004.
Lawrence Berkeley National Laboratory, Bro intrusion detection system, Berkeley, California (bro-ids.org), 2007.
M. Locasto, K. Wang, A. Keromytis and S. Stolfo, FLIPS: Hybrid adaptive intrusion prevention, Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection, pp. 82-101, 2005.
S. Macaulay, ADMmutate: Polymorphic shellcode engine (www.ktwo.ca/security.html), 2007.
Metasploit, The Metasploit Project (www.metasploit.com).
Snort.org, Snort (www.snort.org).
T. Toth and C. Kruegel, Accurate buffer overflow detection via abstract payload execution, Proceedings of the Fifth International Symposium on Recent Advances in Intrusion Detection, pp. 274- 291,2002.
K. Wang, G. Cretu and S. Stolfo, Anomalous payload-based net- work intrusion detection and signature generation, Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection, pp. 227-246, 2005.
K. Wang and S. Stolfo, Anomalous payload-based network intrusion detection, Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection, pp. 203-222, 2004.
X. Wang, C. Pan, P. Liu and S. Zhu. SigFree: A signature-free buffer overflow attack blocker, Proceedings of the Fifteenth USENIX Security Symposium, pp. 225-240, 2006.
Weka, Weka 3: Data mining software in Java, University of Waikato, Hamilton, New Zealand (www.cs.waikato.ac.nz/ml/weka).
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Masud, M., Khan, L., Thuraisingham, B., Wang, X., Liu, P., Zhu, S. (2008). Detecting Remote Exploits Using Data Mining. In: Ray, I., Shenoi, S. (eds) Advances in Digital Forensics IV. DigitalForensics 2008. IFIP — The International Federation for Information Processing, vol 285. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-84927-0_15
Download citation
DOI: https://doi.org/10.1007/978-0-387-84927-0_15
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-84926-3
Online ISBN: 978-0-387-84927-0
eBook Packages: Computer ScienceComputer Science (R0)