TY - GEN
T1 - Argos
T2 - 2006 EuroSys Conference
AU - Portokalidis, Georgios
AU - Slowinska, Asia
AU - Bos, Herbert
PY - 2006
Y1 - 2006
N2 - As modern operating systems and software become larger and more complex, they are more likely to contain bugs, which may allow attackers to gain illegitimate access. A fast and reliable mechanism to discern and generate vaccines for such attacks is vital for the successful protection of networks and systems. In this paper we present Argos, a containment environment for worms as well as human orchestrated attacks. Argos is built upon a fast x86 emulator which tracks network data throughout execution to identify their invalid use as jump targets, function addresses, instructions, etc. Furthermore, system call policies disallow the use of network data as arguments to certain calls. When an attack is detected, we perform 'intelligent' process- or kernel-aware logging of the corresponding emulator state for further offline processing. In addition, our own forensics shellcode is injected, replacing the malevolent shellcode, to gather information about the attacked process. By correlating the data logged by the emulator with the data collected from the network, we are able to generate accurate network intrusion detection signatures for the exploits that are immune to payload mutations. The entire process can be automated and has few if any false positives, thus rapid global scale deployment of the signatures is possible.
AB - As modern operating systems and software become larger and more complex, they are more likely to contain bugs, which may allow attackers to gain illegitimate access. A fast and reliable mechanism to discern and generate vaccines for such attacks is vital for the successful protection of networks and systems. In this paper we present Argos, a containment environment for worms as well as human orchestrated attacks. Argos is built upon a fast x86 emulator which tracks network data throughout execution to identify their invalid use as jump targets, function addresses, instructions, etc. Furthermore, system call policies disallow the use of network data as arguments to certain calls. When an attack is detected, we perform 'intelligent' process- or kernel-aware logging of the corresponding emulator state for further offline processing. In addition, our own forensics shellcode is injected, replacing the malevolent shellcode, to gather information about the attacked process. By correlating the data logged by the emulator with the data collected from the network, we are able to generate accurate network intrusion detection signatures for the exploits that are immune to payload mutations. The entire process can be automated and has few if any false positives, thus rapid global scale deployment of the signatures is possible.
KW - Design
KW - Experimentation
KW - Performance
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=34748920692&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34748920692&partnerID=8YFLogxK
U2 - 10.1145/1217935.1217938
DO - 10.1145/1217935.1217938
M3 - Conference contribution
AN - SCOPUS:34748920692
SN - 1595933220
SN - 9781595933225
T3 - Proceedings of the 2006 EuroSys Conference
SP - 15
EP - 27
BT - Proceedings of the 2006 EuroSys Conference
Y2 - 18 April 2006 through 21 April 2006
ER -