ABSTRACT
In this work, we employed genetic programming to evolve a "white hat" attacker; that is to say, we evolve variants of an attack with the objective of providing better detectors. Assuming a generic buffer overflow exploit, we evolve variants of the generic attack, with the objective of evading detection by signature-based methods. To do so, we pay particular attention to the formulation of an appropriate fitness function and partnering instruction set. Moreover, by making use of the intron behavior inherent in the genetic programming paradigm, we are able to explicitly obfuscate the true intent of the code. All the resulting attacks defeat the widely used 'Snort' Intrusion Detection System.
- D. Song, M.I. Heywood, A.N. Zincir-Heywood. A Linear Genetic Programming Approach to Intrusion Detection. In Proceedings of Genetic and Evolutionary Computation Conference, GECCO, Springer-Verlag, Lecture Notes in Computer Science, 2724, pages 2325--2336, 2003. Google ScholarDigital Library
- R. Curry, M.I. Heywood. Towards Efficient Training on Large Datasets for Genetic Programming. In Canadian Conference on Artificial Intelligence, pages 161-174, Springer-Verlag, Lecture Notes in Artificial Intelligence, 3060, May 2004.Google Scholar
- D. Song, M.I. Heywood, A.N. Zincir-Heywood. Training Genetic Programming On Half a Million Exemplars: An Example from Anomaly Detection, IEEE Transactions on Evolutionary Computation, 9(3): 225--239, June 2005. Google ScholarDigital Library
- ADMmutate. http://www.ktwu.ca/security.htmlGoogle Scholar
- D. Wagner, P. Soto, Mimicry Attacks on Host-based Intrusion Detection Systems, ACM Conference on Computer Security, pages 255--264. 2002. Google ScholarDigital Library
- K.M.C. Tan, K.S. Killourhy, R.A. Maxion, Undermining an Anomaly-based Intrusion Detection System using Common Exploits, In 5th International Symposium on Recent Advances in Intrusion Detection, pages 54--73. Lecture Notes in Computer Science, LNCS 2516, 2002. Google ScholarDigital Library
- G. Vigna, W. Robertson, D. Balzarotti, Testing Network Based Intrusion Detection Signatures Using Mutant Exploits, In ACM Conference on Computer Security, 2004. Google ScholarDigital Library
- IA-32 Intel, Architecture Software Developer's Manual Volumes 2A, 2B: Instruction Set Reference, A-M, M-Z, 2005Google Scholar
- M.I. Heywood, A.N. Zincir-Heywood. Dynamic Page Based Crossover in Linear Genetic Programming, IEEE Transactions on Systems, Man and Cybernetics - Part B, 32(3), pp 360--388, June 2002. Google ScholarDigital Library
- H.G. Kayacik, A.N. Zincir-Heywood, M.I. Heywood, Evolving Successful Stack Overflow Attacks for Vulnerability Testing, In 21st Annual Computer Security Applications Conference, Dec 5-9 2005. Google ScholarDigital Library
- G. Dozier, D. Brown, K. Cain, J. Hurley, Vulnerability analysis of immunity-based intrusion detection systems using evolutionary hackers, In Proceedings of the Genetic and Evolutionary Computation Conference, pages 263-274. Lecture Notes in Computer Science, LNCS 3102, 2004.Google Scholar
- J. Budynek, E. Bonabeau, B. Shargel, Evolving Computer Intrusion Scripts for Vulnerability Assessment and Log Analysis. In Proceedings of the Genetic and Evolutionary Computation Conference, pages 1905--1912. ACM SIGEVO, Volume 2, June 25-29 2005. Google ScholarDigital Library
Index Terms
- On evolving buffer overflow attacks using genetic programming
Recommendations
Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems
ICDS '10: Proceedings of the 2010 Fourth International Conference on Digital SocietyThere has been a significant amount of research recently into methods of protecting systems from buffer overflow attacks by detecting stack injected shell code. The majority of the research focuses on developing algorithms or signatures for detecting ...
Scalable network-based buffer overflow attack detection
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsBuffer overflow attack is the main attack method that most if not all existing malicious worms use to propagate themselves from machine to machine. Although a great deal of research has been invested in defense mechanisms against buffer overflow attack, ...
Comments