基于源代码的缓冲区溢出预防技术

基于缓冲区溢出的攻击是一种常见的安全攻击手段,也是目前惟一最重要最常见的安全威胁。在所有的软件安全漏洞中,缓冲区溢出漏洞大约占一半。该文从编程的角度分析了缓冲区溢出攻击,并提出在源代码阶段尽量避免缓冲区溢出的方法。     

缓冲区溢出的攻击的分析和设计

随着网络技术的发展,网络安全日显突出．针对网络安全分析缓冲区溢出原理和攻击过程,着重分析一种自动缓冲区溢出攻击的方法．并提出两种可以有效防范缓冲区溢出攻击的方法。     

针对非控制数据的缓冲区溢出保护程序

已有的检测缓冲区溢出漏洞的方法有静态的也有动态的.静态分析在软件运行前,析其源代码,找出可能存在的漏洞;动态方法在运行时对可能存在漏洞的软件行为进行监视,发现异常后,进行判断,然后做出适当处理.在分析了传统缓冲区溢出方法的基础上,依据缓冲区溢出攻击的发展趋势,针对非控制数据的缓冲区溢出攻击,提出了一种主要针对非控制数据缓冲区溢出攻击的测试方法,使用变量标识来测试是否发生了缓冲区溢出攻击.这种方法综合了静态和动态分析的优点,能够有效地防御缓冲区溢出攻击.     

缓冲区溢出的软件安全性测试技术研究

缓冲区溢出作为系统或程序自身存在的一种漏洞对系统或软件安全造成了潜在威胁,黑客可以轻易利用这一漏洞进行攻击,以达到控制系统或窃取秘密的目的。据统计,利用缓冲区溢出漏洞进行的攻击已经占到了互联网攻击总数的一半以上。文章在对缓冲区溢出原理进行分析的基础上,给出了缓冲区溢出的故障模型,并提出了基于静态分析的代码自动检测算法,为故障发现及预防奠定了基础。     

基于Libsafe的缓冲区溢出防范技术的研究

缓冲区溢出漏洞问题是一种常见的程序漏洞,在所有的操作系统中平台上或多或少都存在着这样漏洞,文章首先介绍缓冲区漏洞的主要原因和常用的防范措施,然后深入讨论一种基于Libsafe的格式化串漏洞的防范和堆栈溢出防范技术的实现原理和方法。该方法容易实现,配置简单,只要配置LD_PRELOAD环境变量,操作系统就可以调用,不会给系统带来额外的负担,不需要重新编译已经存在的应用程序,可以防范很多未知的缓冲区溢出漏洞。     

缓冲区溢出攻击分析及其防范

详细分析了缓冲区溢出的基本原理,描述了利用缓冲区溢出漏洞进行攻击的基本方式。通过对一段实例程序的溢出和构建攻击语句,直观地演示了缓冲区溢出的形成过程及其攻击原理,最后提出了防范缓冲区溢出的有效措施。     

Cisco IOS系统缓冲区溢出攻击研究

路由器安全在网络安全领域占有非常重要的地位，该文针对互联网中使用最为广泛的Cisco路由器，介绍Cisco IOS的基础特性，从缓冲区溢出的原理出发，阐述一种利用IOS缓冲区溢出漏洞远程攻击路由器的方法，提出针对该类攻击的防护措施。     

一种缓冲区溢出攻击通用模型研究

随着Internet的普及,信息安全问题日趋显著,近年来发生的一系列安全事件让每个连接到Internet的用户感到不安,特别是远程缓冲区溢出攻击更是防不胜防.缓冲区溢出攻击是一种常见的攻击方式,对缓冲区溢出漏洞进行恶意利用,会产生极具破坏性的蠕虫.本文对各种缓冲区溢出漏洞和利用技术进行了深入研究,建立了缓冲区溢出攻击通用模型OSJUMP(Overflow Shellcode Jump),并利用该模型,提出了在模型的各个阶段阻截缓冲区溢出攻击的防范措施.     

缓冲区溢出攻击代码的分析研究

缓冲区溢出漏洞是当前互联网中存在的最主要的威胁之一。该文先讨论了缓冲区溢出漏洞的产生原理和一般的攻击手段,然后分析了利用缓冲区溢出漏洞的攻击代码,给出了攻击代码的主要特征。最后,讨论了如何利用这些特征,来防范缓冲区溢出攻击的发生。     

缓冲区溢出分析及其防范策略研究

缓冲区溢出是一种在各种操作系统和应用软件中广泛存在且危害较大的漏洞。分析了缓冲区溢出攻击的原理,讨论了基于缓冲区溢出的攻击方式和一般规律以及攻击代码的植入方式,给出了防范缓冲区溢出攻击的策略和措施。     

Flow level detection and filtering of low-rate DDoS

The recently proposed TCP-targeted Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP’s congestion control mechanism. They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric – Congestion Participation Rate (CPR) – and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows. A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach – one of the most efficient approaches in detecting LDDoS attacks. We also provide experimental guidance to choose the CPR threshold in practice.     

Securing Cloud Computing from Flash Crowd Attack Using Ensemble Intrusion Detection System

Flash Crowd attacks are a form of Distributed Denial of Service (DDoS) attack that is becoming increasingly difficult to detect due to its ability to imitate normal user behavior in Cloud Computing (CC). Botnets are often used by attackers to perform a wide range of DDoS attacks. With advancements in technology, bots are now able to simulate DDoS attacks as flash crowd events, making them difficult to detect. When it comes to application layer DDoS attacks, the Flash Crowd attack that occurs during a Flash Event is viewed as the most intricate issue. This is mainly because it can imitate typical user behavior, leading to a substantial influx of requests that can overwhelm the server by consuming either its network bandwidth or resources. Therefore, identifying these types of attacks on web servers has become crucial, particularly in the CC. In this article, an efficient intrusion detection method is proposed based on White Shark Optimizer and ensemble classifier (Convolutional Neural Network (CNN) and LighGBM). Experiments were conducted using a CICIDS 2017 dataset to evaluate the performance of the proposed method in real-life situations. The proposed IDS achieved superior results, with 95.84% accuracy, 96.15% precision, 95.54% recall, and 95.84% F1 measure. Flash crowd attacks are challenging to detect, but the proposed IDS has proven its effectiveness in identifying such attacks in CC and holds potential for future improvement.     

From zero-shot machine learning to zero-day attack detection

Machine learning (ML) models have proved efficient in classifying data samples into their respective categories. The standard ML evaluation methodology assumes that test data samples are derived from pre-observed classes used in the training phase. However, in applications such as Network Intrusion Detection Systems (NIDSs), obtaining data samples of all attack classes to be observed is challenging. ML-based NIDSs face new attack traffic known as zero-day attacks that are not used in training due to their non-existence at the time. Therefore, this paper proposes a novel zero-shot learning methodology to evaluate the performance of ML-based NIDSs in recognising zero-day attack scenarios. In the attribute learning stage, the learning models map network data features to semantic attributes that distinguish between known attacks and benign behaviour. In the inference stage, the models construct the relationships between known and zero-day attacks to detect them as malicious. A new evaluation metric is defined as Zero-day Detection Rate (Z-DR) to measure the effectiveness of the learning model in detecting unknown attacks. The proposed framework is evaluated using two key ML models and two modern NIDS data sets. The results demonstrate that for certain zero-day attack groups discovered in this paper, ML-based NIDSs are ineffective in detecting them as malicious. Further analysis shows that attacks with a low Z-DR have a significantly distinct feature distribution and a higher Wasserstein Distance range than the other attack classes.

     

Policy-based SQLIA detection and prevention approach for RFID systems

While SQL injection attacks have been plaguing web application systems for years, the possibility of them affecting RFID systems was only identified very recently. However, very little work exists to mitigate this serious security threat to RFID-enabled enterprise systems. In this paper, we propose a policy-based SQLIA detection and prevention method for RFID systems. The proposed technique creates data validation and sanitization policies during content analysis and enforces those policies during runtime monitoring. We tested all possible types of dynamic queries that may be generated in RFID systems with all possible types of attacks that can be mounted on those systems. We present an analysis and evaluation of the proposed approach to demonstrate the effectiveness of the proposed approach in mitigating SQLIA.     

A dynamic trust model exploiting the time slice in WSNs

Wireless sensor networks (WSNs) are composed of a large number of tiny sensor nodes that are self-organized through wireless communication. It aims to perceive, collect, and process information from network coverage areas. The open nature of WSNs makes them easily exposed to a variety of attacks and brings many security challenges. Furthermore, because of the limited resources, some nodes may refuse to forward packets by dropping them to save their resources such as battery, cache, and bandwidth. To resist the attacks from these selfish nodes and to punish them, we propose a fuzzy-based dynamic trust model in this paper. The model uses fuzzy sets combining with grey theory to evaluate every node’s trust credibility based on direct trust and indirect trust relationship. Only those with higher trust values can be chosen to forward packets. Those untrustworthy nodes with lower trust values will be detected and excluded from the trust list. Thus, our proposal also produces an incentive to compel the selfish nodes to wellbehave again to participate in the WSN again. Additionally, we introduce the time slice scheme to guarantee a reliable node possess enough time to enjoy its services, which can solve the problem that a suddenly interrupted link causes a significant decrease of the trust value. Simulation results show that our dynamic trust model can not only demonstrate the effectiveness in detecting selfish nodes, but also possess better performance even if the bursty traffic exists.     

基于softmax激活变换的对抗防御方法

深度学习广泛应用于图像处理、自然语言处理、网络挖掘等各个领域并取得良好效果,但其容易受到对抗攻击、存在安全漏洞的问题引起广泛关注.目前已有一些有效的防御方法,包括对抗训练、数据变化、模型增强等方法.但是,依然存在一些问题,如提前已知攻击方法与对抗样本才能实现有效防御、面向黑盒攻击的防御能力差、以牺牲部分正常样本的处理性...     

Preventing DDoS attacks on internet servers exploiting P2P systems

Recently, there has been a spurt of work [1], [2], [3], [4], [5], [6], [7] showing that a variety of extensively deployed P2P systems may be exploited to launch DDoS attacks on web and other Internet servers, external to the P2P system. In this paper, we dissect these attacks and categorize them based on the underlying cause for attack amplification. We show that the attacks stem from a violation of three key principles: (i) membership information must be validated before use; (ii) innocent participants must only propagate validated information; and (iii) the system must protect against multiple references to the victim. We systematically explore the effectiveness of an active probing approach to validating membership information in thwarting such DDoS attacks. The approach does not rely on centralized authorities for membership verification, and is applicable to both structured (DHT-based) and unstructured P2P systems. We believe these considerations are important to ensure the mechanisms can be integrated with a range of existing P2P deployments. We evaluate the techniques in the context of a widely deployed DHT-based file-sharing system, and a video broadcasting system with stringent performance requirements. Our results show the promise of the approach in limiting DDoS attacks while not sacrificing application performance.     

Design and performance evaluation of a multi-agent-based dynamic lifetime security scheme for AODV routing protocol

Ad hoc networks are becoming an important research aspect due to the self-organization network, dynamically changing topology, temporary network life and equal relationship among member of nodes. However, all the characters of ad hoc network make the security problem more serious. Network security and trustworthiness become the key problems of the network. Denial-of-service and Black hole attacks are the two puzzles in the security of ad hoc network. There are not satisfied solutions to solve the problem. A novel multi-agent-based dynamic lifetime intrusion detection and a response scheme are proposed to combat the two types of attacks. Multi-agents are related to one route request (RREQ)–route reply (RREP) stream. One agent monitors the nodes in three-hop zone. Agent can periodically update itself by the trustworthiness of the neighbor nodes. It can efficiently improve trustworthiness, decrease computing complexity and save energy consumption for network securities. Agent security specifications have been extracted from the feature of the attacks. Multi-agents can trace RREQ and RREP messages, stream to aggregate the key information to link list and MAC-IP control table and analyze them by intrusion detection algorithm. Different security metrics are proposed to quantitatively evaluate network security performance under different attacks. Ns2 simulator is expanded to validate the security scheme. Simulation results show that a multi-agent-based dynamic lifetime security scheme is highly effective to detect and block the two kinds of attacks.     

基于用户使用网络行为分析的主动网络安全模型

目前广泛使用的网络安全防护手段都是被动性的,只能防止部分网络攻击,但无法有效地应付新出现的网络攻击,并且有效地抑制“黑客”活动。基于此,该文提出了一种根据用户使用网络的行为来主动发现并抑制其非法活动的模型,并探讨了其可能的实现方法,以及该模型的有效性和存在的问题。该模型可以和被动防护手段相结合,进一步增强Internet中的网络安全问题。     

基于ROP/JOP gadgets性质的软件多样化评估方法

为应对信息化生活中的网络攻击及威胁,降低网络系统中同质化攻击快速蔓延的风险,增强网络和软件的安全性,软件多样化技术被应用到系统中。软件多样化旨在生成功能等价但内部发生变化的程序变体,从而改变单一的运行环境,缓解同质化攻击。现有的多样化技术的评估指标 ROP（return-oriented programming）gadgets 幸存率难以直接体现安全性影响且评估方法单一,为了更加全面有效地评估软件多样化方法的有效性,提出基于ROP/JOP（jump-oriented programming）gadgets性质的软件多样化评估方法,通过分析常见的代码重用攻击,将抽象的量化转为具象的指标,从空间、时间及质量3个方面评估多样化方法的安全增益及效果。该方法根据gadgets的相似性、损坏度和可用性3个性质探讨软件多样化技术如何影响ROP/JOP攻击。用指令替换、NOP插入、控制流平坦等9种多样化方法对GNU coreutils程序集进行多样化编译生成多样化程序集。对多样化程序集进行基于 gadgets 性质的实验,根据实验结果评估不同多样化方法的有效性及对攻击造成的影响。实验结果表明,该方法能够对软件多样化方法的安全增益进行准确评估,多样化技术会导致 ROP/JOP 攻击所需的攻击链空间增大,构造攻击链的时间变长且攻击成功率降低。不同的多样化方法产生的效果高低不一,对后续研究具有更高安全增益的多样化技术有指导作用。