Argos: An Emulator for Fingerprinting Zero-Day Attacks for advertised honeypots with automatic signature generation

Georgios Portokalidis, Asia Slowinska, Herbert Bos

Research output: Contribution to journalArticlepeer-review

33 Scopus citations

Abstract

As modern operating systems and software become larger and more complex, they are more likely to contain bugs, which may allow attackers to gain illegitimate access. A fast and reliable mechanism to discern and generate vaccines for such attacks is vital for the successful protection of networks and systems. In this paper we present Argos, a containment environment for worms as well as human orchestrated attacks. Argos is built upon a fast x86 emulator which tracks network data throughout execution to identify their invalid use as jump targets, function addresses, instructions, etc. Furthermore, system call policies disallow the use of network data as arguments to certain calls. When an attack is detected, we perform 'intelligent' process-or kernel-Aware logging of the corresponding emulator state for further offline processing. In addition, our own forensics shellcode is injected, replacing the malevolent shellcode, to gather information about the attacked process. By correlating the data logged by the emulator with the data collected from the network, we are able to generate accurate network intrusion detection signatures for the exploits that are immune to payload mutations. The entire process can be automated and has few if any false positives, thus rapid global scale deployment of the signatures is possible.

Original languageEnglish
Pages (from-to)15-27
Number of pages13
JournalOperating Systems Review (ACM)
Volume40
Issue number4
DOIs
StatePublished - Oct 2006

Fingerprint

Dive into the research topics of 'Argos: An Emulator for Fingerprinting Zero-Day Attacks for advertised honeypots with automatic signature generation'. Together they form a unique fingerprint.

Cite this