A General Model and Guidelines for Attack Manifestation Generation

  • Ulf E. Larson
  • Dennis K. Nilsson
  • Erland Jonsson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5141)


Many critical infrastructures such as health care, crisis management and financial systems are part of the Internet and exposed to the rather hostile environment found there. At the same time it is recognized that traditional defensive mechanisms provide some protection, but has to be complemented with supervisory features, such as intrusion detection. Intrusion detection systems (IDS) monitor the network and the host computers for signs of intrusions and intrusion attempts. However, an IDS needs training data to learn how to discriminate between intrusion attempts and benign events. In order to properly train the detection system we need data containing attack manifestations. The provision of such manifestations may pose considerable problems and effort, especially since many attacks are not successful against a particular system version. This paper suggests a general model for how to implement an automatic tool that can be used for generation of successful attacks and finding the relevant manifestations with a limited amount of effort and time delay. Those manifestations can then promptly be used for setting up the IDS and countering the attack. To illustrate the concepts we provide an implementation example for an important attack type, the stack-smashing buffer overflow attack.


Execution monitoring automation mutation model manifestation generation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Larson, U., Lundin-Barse, E., Jonsson, E.: METAL - a tool for extracting attack manifestations. In: Proceedings of Detection of Intrusions and Malware & Vulnerability Assessment workshop (DIMVA), Vienna, Austria, July 7-8 (2005)Google Scholar
  2. 2.
    Barse, E.L., Jonsson, E.: Extracting attack manifestations to determine log data requirements for intrusion detection. In: Proceedings of the 20th Annual Computer Security Applications Conference, ACSAC 2004, Tucson, Arizona, USA. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  3. 3.
    The metasploit framework (September 2006),
  4. 4.
    Bidiblah - security assessment power tools (September 2006),
  5. 5.
    The nessus vulnerability scanner (September 2006),
  6. 6.
    Nmap security scanner (September 2006),
  7. 7.
    Kayacik, H.G., Heywood, M., Zincir-Heywood, N.: On evolving buffer overflow attacks using genetic programming. In: GECCO 2006 (July 2006)Google Scholar
  8. 8.
    Vigna, G., Robertson, W., Balzarotti, D.: Testing network based intrusion detection signatures using mutant exploits. In: ACM Conference on Computer Security (2004)Google Scholar
  9. 9.
    Puketza, N.J., Zhang, K., Chung, M., Mukherjee, B., Olsson, R.A.: A methodology for testing intrusion detection systems. In: 17th National Computer Security Conference, Baltimore, MD (1994)Google Scholar
  10. 10.
    Foster, J.C., Williams, A.: Sockets, Shellcode, Porting and Coding. In: Syngress, ch. 12 (March 2005)Google Scholar
  11. 11.
    Aleph One. Smashing the stack for fun and profit (1996),
  12. 12.
    Nilsson, D.K., Larson, U., Jonsson, E.: A general model and guidelines for attack manifestation generation. Technical Report TR-2007:8, Department of Computer Science and Engineering, Chalmers University of Technology (2007)Google Scholar
  13. 13.
    Wagner, D., Soto, P.: Mimicry attacks on host based intrusion detection systems. In: Ninth ACM Conference on Computer and Communications Security (2002)Google Scholar
  14. 14.
    Tan, K.M.C., Killourhy, K.S., Maxion, R.A.: Undermining an anomaly-based intrusion detection system using common exploits. In: Proceedings of the 5th International Symposium on Recent Advances in Intrusion Detection (2002)Google Scholar
  15. 15.
    Cowan, C., et al.: Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks. In: Proceedings of the 7th USENIX Security Symposium (January 1998)Google Scholar
  16. 16.
    Etoh, H.: GCC extension for protecting applications from stack-smashing attacks (ProPolice) (2003)Google Scholar
  17. 17.
    Richarte, G.: Four different tricks to bypass stackshield and stackguard protection. Technical Report NIST IR 7007, NIST (2002)Google Scholar
  18. 18. (June 2006),
  19. 19.
    Kelley, A., Pohl, I.: A Book on C, 4th edn., December 1997. Addisson-Wesley Professional (1997)Google Scholar
  20. 20.
    Erickson, J.: Hacking, the art of exploitation. No Starch Press, Inc. (2003)Google Scholar
  21. 21.
    Burebista. Remote automatic exploitation of stack overflows (2003),
  22. 22.
    contex. Exploiting x86 stack based buffer overflows (2006),
  23. 23.
    xgc/dx A.K.A T. Silva. Introduction to local stack overflow (2005),
  24. 24.
    Preddy. Buffer overflow tutorial (2006),
  25. 25.
    Address space layout randomization (Latest visited, July 2007),
  26. 26.
    Denial-of-service attack (Latest visited July 2007),

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Ulf E. Larson
    • 1
  • Dennis K. Nilsson
    • 1
  • Erland Jonsson
    • 1
  1. 1.Department of Computer Science and EngineeringChalmers University of TechnologyGothenburgSweden

Personalised recommendations