TY - GEN
T1 - MetaSymploit
T2 - 22nd USENIX Security Symposium
AU - Wang, Ruowen
AU - Ning, Peng
AU - Xie, Tao
AU - Chen, Quan
N1 - Publisher Copyright:
copyright © 2013 USENIX Security Symposium.All right reserved.
PY - 2013
Y1 - 2013
N2 - A script-based attack framework is a new type of cyber-attack tool written in scripting languages. It carries various attack scripts targeting vulnerabilities across different systems. It also supports fast development of new attack scripts that can even exploit zero-day vulnerabilities. Such mechanisms pose a big challenge to the defense side since traditional malware analysis cannot catch up with the emerging speed of new attack scripts. In this paper, we propose MetaSymploit, the first system of fast attack script analysis and automatic signature generation for a network Intrusion Detection System (IDS). As soon as a new attack script is developed and distributed, Meta-Symploit uses security-enhanced symbolic execution to quickly analyze the script and automatically generate specific IDS signatures to defend against all possible attacks launched by this new script from Day One. We implement a prototype of MetaSymploit targeting Metas-ploit, the most popular penetration framework. In the experiments on 45 real attack scripts, MetaSymploit automatically generates Snort IDS rules as signatures that effectively detect the attacks launched by the 45 scripts. Furthermore, the results show that MetaSymploit substantially complements and improves existing Snort rules that are manually written by the official Snort team.
AB - A script-based attack framework is a new type of cyber-attack tool written in scripting languages. It carries various attack scripts targeting vulnerabilities across different systems. It also supports fast development of new attack scripts that can even exploit zero-day vulnerabilities. Such mechanisms pose a big challenge to the defense side since traditional malware analysis cannot catch up with the emerging speed of new attack scripts. In this paper, we propose MetaSymploit, the first system of fast attack script analysis and automatic signature generation for a network Intrusion Detection System (IDS). As soon as a new attack script is developed and distributed, Meta-Symploit uses security-enhanced symbolic execution to quickly analyze the script and automatically generate specific IDS signatures to defend against all possible attacks launched by this new script from Day One. We implement a prototype of MetaSymploit targeting Metas-ploit, the most popular penetration framework. In the experiments on 45 real attack scripts, MetaSymploit automatically generates Snort IDS rules as signatures that effectively detect the attacks launched by the 45 scripts. Furthermore, the results show that MetaSymploit substantially complements and improves existing Snort rules that are manually written by the official Snort team.
UR - http://www.scopus.com/inward/record.url?scp=84937590104&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84937590104&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84937590104
T3 - Proceedings of the 22nd USENIX Security Symposium
SP - 65
EP - 80
BT - Proceedings of the 22nd USENIX Security Symposium
PB - USENIX Association
Y2 - 14 August 2013 through 16 August 2013
ER -