A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remot...A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remote buffer overflow attacks by filtering out the client requests that contain malicious executable codes.An important advantage of this approach is that it can block the attack before the exploit code begins affecting the target program.The blocker is composed of three major components,packet decoder,disassembler,and behavior-based detection engine.It decodes the network packets,extract possible instruction sequences from the payload,and analyzes whether they contain attack behaviors.Since this blocker based its effectiveness on the commonest behavior patterns of buffer overflow shellcode,it is expected to detect not only existing attacks but also zero-day attacks.Moreover,it has the capability of detecting attack-size obfuscation.展开更多
文摘A common way to gain control of victim hosts is to launch buffer overflow attacks by remote exploits.This paper proposes a behavior-based buffer overflow attacker blocker,which can dynamically detect and prevent remote buffer overflow attacks by filtering out the client requests that contain malicious executable codes.An important advantage of this approach is that it can block the attack before the exploit code begins affecting the target program.The blocker is composed of three major components,packet decoder,disassembler,and behavior-based detection engine.It decodes the network packets,extract possible instruction sequences from the payload,and analyzes whether they contain attack behaviors.Since this blocker based its effectiveness on the commonest behavior patterns of buffer overflow shellcode,it is expected to detect not only existing attacks but also zero-day attacks.Moreover,it has the capability of detecting attack-size obfuscation.
