TY - JOUR
T1 - Argos
T2 - An Emulator for Fingerprinting Zero-Day Attacks for advertised honeypots with automatic signature generation
AU - Portokalidis, Georgios
AU - Slowinska, Asia
AU - Bos, Herbert
N1 - Publisher Copyright:
© 2006 Authors.
PY - 2006/10
Y1 - 2006/10
N2 - As modern operating systems and software become larger and more complex, they are more likely to contain bugs, which may allow attackers to gain illegitimate access. A fast and reliable mechanism to discern and generate vaccines for such attacks is vital for the successful protection of networks and systems. In this paper we present Argos, a containment environment for worms as well as human orchestrated attacks. Argos is built upon a fast x86 emulator which tracks network data throughout execution to identify their invalid use as jump targets, function addresses, instructions, etc. Furthermore, system call policies disallow the use of network data as arguments to certain calls. When an attack is detected, we perform 'intelligent' process-or kernel-Aware logging of the corresponding emulator state for further offline processing. In addition, our own forensics shellcode is injected, replacing the malevolent shellcode, to gather information about the attacked process. By correlating the data logged by the emulator with the data collected from the network, we are able to generate accurate network intrusion detection signatures for the exploits that are immune to payload mutations. The entire process can be automated and has few if any false positives, thus rapid global scale deployment of the signatures is possible.
AB - As modern operating systems and software become larger and more complex, they are more likely to contain bugs, which may allow attackers to gain illegitimate access. A fast and reliable mechanism to discern and generate vaccines for such attacks is vital for the successful protection of networks and systems. In this paper we present Argos, a containment environment for worms as well as human orchestrated attacks. Argos is built upon a fast x86 emulator which tracks network data throughout execution to identify their invalid use as jump targets, function addresses, instructions, etc. Furthermore, system call policies disallow the use of network data as arguments to certain calls. When an attack is detected, we perform 'intelligent' process-or kernel-Aware logging of the corresponding emulator state for further offline processing. In addition, our own forensics shellcode is injected, replacing the malevolent shellcode, to gather information about the attacked process. By correlating the data logged by the emulator with the data collected from the network, we are able to generate accurate network intrusion detection signatures for the exploits that are immune to payload mutations. The entire process can be automated and has few if any false positives, thus rapid global scale deployment of the signatures is possible.
UR - http://www.scopus.com/inward/record.url?scp=85101182647&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85101182647&partnerID=8YFLogxK
U2 - 10.1145/1218063.1217938
DO - 10.1145/1218063.1217938
M3 - Article
AN - SCOPUS:85101182647
SN - 0163-5980
VL - 40
SP - 15
EP - 27
JO - Operating Systems Review (ACM)
JF - Operating Systems Review (ACM)
IS - 4
ER -