Sting: an Automatic Defense System against Zero-day Exploits

Dawn Song, Carnegie Mellon University

Software vulnerabilities have had a devastating effect on the Internet. Worms such as CodeRed and SQL Slammer can compromise millions of hosts within hours or even minutes. To successfully combat such fast automatic Internet attacks, we need fast automatic attack detection and defense mechanisms.

In this talk, I will present Sting, a new automatic defense system that aims to be effective even against zero-day exploits. Sting employs a novel method, dynamic taint analysis on binaries, for automatic detection and analysis of software exploit attacks. This method allows us to pinpoint the vulnerability and how the vulnerability is exploited, as well as automatically generate signatures/filters for NIDS to filter out attack packets. Compared to previous defense mechanisms, Sting utilizes semantic information about the exploit attacks, and thus has a much lower false positive and false negative rate for detection with a much faster detection and reaction time. Since the attack detection and signature generation methods used in Sting do not require source code, Sting is easier to deploy and works on commodity software.

Moreover, Sting's signature generation aims to be effective even for polymorphic worms. By using both new semantic-based analysis (i.e., analysis based on the precise information about the vulnerability and exploit) and machine learning methods, Sting identifies parts in packets that need to stay invariant for an exploit to be successful (even in case of polymorphic worms). These invariants can then serve as signatures to filter out attack packets. Thus, the signatures generated by Sting are more accurate than previous approaches and can be effective even against polymorphic worms.

In addition, I will also briefly describe another project of interest, TrafficComber, an automatic traffic analysis system that detects anomalies and correlations in network traffic and identifies misbehaving or malicious hosts using novel streaming algorithms and machine learning methods.

Gates 4B (opposite 490) Tuesday 03/08/05 1630 hrs