Argos: An emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation

Georgios Portokalidis, Asia Slowinska, Herbert Bos

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

113 Scopus citations

Abstract

As modern operating systems and software become larger and more complex, they are more likely to contain bugs, which may allow attackers to gain illegitimate access. A fast and reliable mechanism to discern and generate vaccines for such attacks is vital for the successful protection of networks and systems. In this paper we present Argos, a containment environment for worms as well as human orchestrated attacks. Argos is built upon a fast x86 emulator which tracks network data throughout execution to identify their invalid use as jump targets, function addresses, instructions, etc. Furthermore, system call policies disallow the use of network data as arguments to certain calls. When an attack is detected, we perform 'intelligent' process- or kernel-aware logging of the corresponding emulator state for further offline processing. In addition, our own forensics shellcode is injected, replacing the malevolent shellcode, to gather information about the attacked process. By correlating the data logged by the emulator with the data collected from the network, we are able to generate accurate network intrusion detection signatures for the exploits that are immune to payload mutations. The entire process can be automated and has few if any false positives, thus rapid global scale deployment of the signatures is possible.

Original languageEnglish
Title of host publicationProceedings of the 2006 EuroSys Conference
Pages15-27
Number of pages13
DOIs
StatePublished - 2006
Event2006 EuroSys Conference - Leuven, Belgium
Duration: 18 Apr 200621 Apr 2006

Publication series

NameProceedings of the 2006 EuroSys Conference

Conference

Conference2006 EuroSys Conference
Country/TerritoryBelgium
CityLeuven
Period18/04/0621/04/06

Keywords

  • Design
  • Experimentation
  • Performance
  • Security

Fingerprint

Dive into the research topics of 'Argos: An emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation'. Together they form a unique fingerprint.

Cite this