Donghai Tian

Hierarchical Distributed Alert Correlation Model

Alert correlation is a promising technique in intrusion detection. It takes the alerts produced by intrusion detection systems and produces compact reports which provide a more succinct and high-level view of occurring or attempted intrusions and highly improve security expert’s work efficiency. Traditional alert correlation system adopts a centralized architecture which can be easily over flooded by the raw alarms. To address this issue, a distributed alert correlation model based on hierarchical architecture is proposed. This model greatly improves the performance of alert correlation through integrating three novel methods. The experiments show effectiveness of this alert correlation model on 2000 DARPA intrusion detection scenario specific datasets.

SA3: Automatic Semantic Aware Attribution Analysis of Remote Exploits

Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis, i.e., to automatically categorize exploits or to determine whether an exploit is a variant of an attack from the past, is also very important. In this paper, we present SA3, an exploit code attribution analysis which combines semantic analysis and statistical analysis to automatically categorize a given exploit code. SA3 extracts semantic features from an exploit code through data anomaly analysis, and then attributes the exploit to an appropriate class based on our statistical model derived from a Markov model. We evaluate SA3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. To our knowledge, SA3 is the first work combining semantic analysis with statistical analysis for exploit code attribution analysis.

Defeating buffer overflow attacks via virtualization

Display Omitted We propose an on-the-fly buffer overflow prevention mechanism, which can protect the target program without restarting it.We make use of the virtualization technology to transparently defend against buffer overflow attacks.Our system does not need any changes to the existing programs and OS, and it can be easily deployed in the VM environment. Buffer overflow defenses have been comprehensively studied for many years. Different from previous solutions, we propose PHUKO, an on-the-fly buffer overflow prevention system which leverages virtualization technology. PHUKO offers the protected program a fully transparent environment and an easy deployment without the need to restart the program. Generally, the working process of PHUKO can be divided into two stages. First, we utilize static binary analysis to identify the instructions offline which are the entries of vulnerable functions. Second, by combining virtual machine introspection and online patching, PHUKO instruments the protected running program on-the-fly with memory safety enforcement. The experiments show that our system can defend against realistic buffer overflow attacks effectively with a moderate performance overhead.

Semantic aware attribution analysis of remote exploits

Web services have been greatly threatened by remote exploit code attacks, where maliciously crafted HTTP requests are used to inject binary code to compromise web servers and web applications. In practice, besides detection of such attacks, attack attribution analysis (i.e., to automatically categorize exploits or determine whether an exploit is a variant of an attack from the past) is also very important. In this paper, we present SA 3 , a novel exploit code attribution analysis that combines semantics-based analysis and statistical modeling to automatically categorize given exploit code. SA 3 extracts semantic features from exploit code through data anomaly analysis and then attributes the exploit to an appropriate class on the basis of our statistical model derived from a Markov model. We evaluate SA 3 over a comprehensive set of shellcode collected from Metasploit and other polymorphic engines. Experimental results show that SA 3 is effective and efficient. The attribution analysis accuracy can be over 90% in different parameter settings with false positive rate no more than 4.5%. The novelty of SA 3 is that it combines semantic analysis with statistical modeling for exploit code attribution analysis.

Software Cruising: A New Technology for Building Concurrent Software Monitor

We introduce a novel concurrent software monitoring technology, called software cruising. It leverages multicore architectures and utilizes lock-free data structures and algorithms to achieve efficient and scalable security monitoring. Applications include, but are not limited to, heap buffer integrity checking, kernel memory cruising, data structure and object invariant checking, rootkit detection, and information provenance and flow checking. In the software cruising framework, one or more dedicated threads, called cruising threads, are running concurrently with the monitored user or kernel code, to constantly check, or cruise, for security violations. We believe the software cruising technology would result in a game-changing capability in security monitoring for the cloud-based and traditional computing and network systems.

Policy-centric protection of OS kernel from vulnerable loadable kernel modules

Due to lack of the protecting mechanism in the kernel space, the loadable kernel modules (LKM) may be exploited and thus seriously affecting the OS kernels security via utilizing the implicit or explicit vulnerabilities. Although lots of systems have been developed to address the above problem, there still remain some challenges. a) How to automatically generate a security policy before the kernel module is enforced? b) How to properly mediate the interactions between the kernel module and OS kernel to ensure the policy consistence without modifications (or least changes) on the existing OS, hardware, and kernel module structure? In this paper, we present LKMG, a policy-centric system which can protect commodity OS kernel from vulnerable loadable kernel modules. More powerful than previous systems, LKMG is able to generate a security policy form the kernel module, and then enforce the policy during the kernel modules execution. Generally, the working process of LKMG can be divided into two stages. First, we utilize static analysis to extract the kernel code and data access patterns from a kernel modules source code, and then combine these patterns with the related memory address information to generate a security policy. Second, by leveraging hardware-based virtualization technology, LKMG isolates the kernel module from the rest of the kernel, and then enforces the kernel modules execution to obey the derived policy. The experiment show that our system can defend against various loadable kernel module exploitations effectively with moderate performance overhead.

Integrating offline analysis and online protection to defeat buffer overflow attacks

Nowadays Buffer overflow attacks are still recognized as one of the most severe threats in software security. Previous solutions suffer from limitations in that: 1) Some methods based on compiler extensions have limited practicality because they need to access source code; 2) Other methods that need to modify some aspects of the operating system or hardware require much deployment effort; 3) Almost all methods are unable to deploy a runtime protection for programs that cannot afford to restart. In this paper, we propose PHUKO, an on-the-fly buffer overflow prevention system which leverages virtualization technology. PHUKO offers the protected program a fully transparent environment and an easy deployment without the need to restart the program. The experiments show that our system can defend against realistic buffer overflow attacks effectively with moderate performance overhead.

A policy-centric approach to protecting OS kernel from vulnerable LKMs: A Policy-Centric Approach to Protecting OS Kernel from Vulnerable LKMs

Loadable kernel modules (LKMs) that contain vulnerabilities are a big threat to modern operating systems (OSs). The primary reason is that there is no protection mechanism inside the kernel space when the LKM is executed. As a result, kernel module exploitation can seriously affect the OS kernel security. Although many protection systems have been developed to address this problem in the past few years, there still remain some challenges: (1) How to automatically generate a security policy before the kernel module is enforced? (2) How to properly mediate the interactions between the kernel module and the OS kernel without modifications on the existing OS, hardware, and kernel module structure? To address these challenges, we present LKM guard (LKMG), a policy‐centric system that can protect commodity OS kernel from vulnerable LKMs. Compared with previous systems, LKMG is able to generate a security policy from a kernel module and then enforce the policy during the run time. Generally, the working process of LKMG can be divided into 2 stages. First, we utilize static analysis to extract the kernel code and data access patterns from a kernel modules source code and then combine these patterns with the related memory address information to generate a security policy. Second, by leveraging the hardware‐assisted virtualization technology, LKMG isolates the kernel module from the rest of the kernel and then enforces the kernel modules execution to obey the derived policy. The experiments show that our system can defend against various attacks launched by the compromised kernel module effectively with moderate performance cost.

Protecting Kernel Data through Virtualization Technology

Operating system security (OS) is the basis for trust computing. As the kernel rootkits become popular and lots of kernel vulnerabilities are exposed, the OS kernel suffers a large number of attacks. It is difficult to protect the kernel by its own module because the kernel rootkits has the same ability to cripple the security module within the same kernel space. Recently, with the virtualization renaissance, virtualization technology provides many new ways to improve the system security. Utilizing this new technology, we present a kernel protection system called VMhuko. By monitoring the kernel data access actively, VMhuko can defend the kennel data attacks on the fly. The intensive experiment shows that VMhuko can protect the kernel with moderate performance.