Sting: An Automatic Defense System against Zero-Day Worm Attacks
[Overview] [Publications] [Back to BitBlaze]


Overview

Worms such as CodeRed and SQL Slammer exploit software vulnerabilities to self-propagate. They can compromise millions of hosts within hours or even minutes and have caused billions of dollars in estimated damage. How can we design and develop effective defense mechanisms against such fast, large scale worm attacks?

We have designed and developed Sting, a new automatic defense system that aims to be effective against even zero-day exploits and protect vulnerable hosts and networks against fast worm attacks. Sting proposes novel approaches and techniques to enable three key steps for effective automatic defense:

  1. Exploit Detection: Automatically detect new exploits quickly and accurately for previously unknown vulnerabilities using techniques such as dynamic taint analysis.
    Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software (NDSS05) [conference version, full version]
  2. Vulnerability Diagnosis: Automatically perform in-depth diagnosis and identify root cause of the vulnerability.
  3. Anti-body Generation: Automatically generate effective anti-bodies for layered defense.
The central theme of Sting's approach is semantics-based which focuses on the root cause, the vulnerability being exploited. As an end-to-end system achieving the above three key steps, Sting can detect, diagnose, and generate effective anti-bodies for a new exploit extremely fast, often within minutes or seconds. The anti-bodies can then be disseminated to protect other hosts and networks from further attacks in a worm outbreak.

Publications

Sweeper: a Lightweight End-to-End System for Defending against Fast Worms.
Joseph Tucek, James Newsome, Shan Lu, Chengdu Huang, Spiros Xanthos, David Brumley, Yuanyuan Zhou, and Dawn Song. In Proceedings of European Conference on Computer Systems (EuroSys), Mar 2007.
Towards Automatic Generation of Vulnerability Signatures
David Brumley, James Newsome, Dawn Song, Hao Wang, and Somesh Jha. In the Proceedings of the IEEE Symposium on Security and Privacy, May 2006.
Vulnerability-Specific Execution Filtering for Exploit Prevention on Commodity Software
James Newsome, David Brumley, and Dawn Song. In the Proceedings of the 13th Annual Network and Distributed Systems Security Symposium (NDSS), 2006.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploit Attacks on Commodity Software (short version)
James Newsome and Dawn Song. In Network and Distributed Systems Security Symposium, Feb 2005.
Sting: an End-to-End Self-healing System for Defending against Zero-day Worm Attacks on Commodity Software.
James Newsome, David Brumley, and Dawn Song. Technical Report CMU-CS-05-191.
Sting: an End-to-End Self-healing System for Defending against Internet Worms .
David Brumley, James Newsome, and Dawn Song. Book chapter in "Malware Detection and Defense", Editors Christodorescu, Jha, Maughn, Song, 2007.


Back to BitBlaze