Open Access Open Access  Restricted Access Subscription Access

A Novel Exploit Traffic Traceback Method Based on Session Relationship


Affiliations
1 State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
 

Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. We propose a traffic traceback method of vulnerability exploitation to solve the above problems based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.

Keywords

Exploit, Malicious Traffic Detection, Session Relationship, Traffic Analysis.
User
Notifications
Font Size

  • D. Kong, D. Tian, Q. Pan, P. Liu, and D. Wu, “Semantic aware attribution analysis of remote exploits,” Security and Communication Networks, vol. 6, no. 7, pp. 818–832, 2012.
  • J. Wu, A. Arrott, and F. C. Colon Osorio, “Protection against remote code execution exploits of popular applications in windows,” 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), 2014.
  • P. Parrend, J. Navarro, F. Guigou, A. Deruyver, and P. Collet, “Foundations and applications of Artificial Intelligence for Zero-day and multi-step attack detection,” EURASIP Journal on Information Security, vol. 2018, no. 1, 2018.
  • Homoliak, M. Teknös, M. Ochoa, D. Breitenbacher, S. Hosseini, and P. Hanacek, “Improving network intrusion detection classifiers by non-payload-based exploit-independent obfuscations: An adversarial approach,” ICST Transactions on Security and Safety, vol. 5, no. 17, p. 156245, 2019.
  • L. Chen, S. Sultana, and R. Sahita, “HeNet: A deep learning approach on Intel® processor trace for effective exploit detection,” 2018 IEEE Security and Privacy Workshops (SPW), 2018.
  • S. Biswas, M. M. H. K. Sajal, T. Afrin, T. Bhuiyan & M. M. Hassan1, (2018) "A study on remote code execution vulnerability in web applications", International Conference on Cyber Security and Computer Science (ICONCS’18), 2018.
  • F. M. Mokbal, W. Dan, A. Imran, L. Jiuchuan, F. Akhtar, and W. Xiaoxi, “MLPXSS: An integrated XSS-Based Attack Detection Scheme in web applications using multilayer perceptron technique,” IEEE Access, vol. 7, pp. 100567–100580, 2019.
  • M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos, “Network-level polymorphic shellcode detection using emulation,” Journal in Computer Virology, vol. 2, no. 4, pp. 257–274, 2006.
  • K. Borders, A. Prakash, and M. Zielinski, “Spector: Automatically analyzing Shell Code,” TwentyThird Annual Computer Security Applications Conference (ACSAC 2007), 2007.
  • Y. Kanemoto, K. Aoki, M. Iwamura, J. Miyoshi, D. Kotani, H. Takakura, and Y. Okabe, “Detecting successful attacks from ids alerts based on emulation of Remote Shellcodes,” 2019 IEEE 43rd Annual Computer Software and Applications Conference (COMPSAC), 2019.
  • B. A. Pratomo, P. Burnap, and G. Theodorakopoulos, “Blatta: Early exploit detection on network traffic with recurrent neural networks,” Security and Communication Networks, vol. 2020, pp. 1–15, 2020.
  • B. Pratomo, “Low-rate attack detection with intelligent fine-grained network analysis,” dissertation, 2020.
  • P. Irofti, A. Patrascu, and A. I. Hiji, “Unsupervised abnormal traffic detection through topological flow analysis,” 2022 14th International Conference on Communications (COMM), 2022.
  • T. Yadav and A. M. Rao, “Technical aspects of cyber kill chain,” Communications in Computer and Information Science, pp. 438–452, 2015.
  • J. C. Foster, M. Price, and S. McClure, Sockets, Shellcode, porting & coding: Reverse engineering exploits and tool coding for security professionals. Rockland: Syngress Pub., 2005.
  • T.-H. Cheng, Y.-D. Lin, Y.-C. Lai, and P.-C. Lin, “Evasion techniques: Sneaking through your intrusion detection/prevention systems,” IEEE Communications Surveys & Tutorials, vol. 14, no. 4, pp. 1011–1020, 2012.
  • H. A. Noman, Q. Al-Maatouk, and S. A. Noman, “Design and implementation of a security analysis tool that detects and eliminates code caves in windows applications,” 2021 International Conference on Data Analytics for Business and Industry (ICDABI), 2021.
  • I. Stipovic , “Antiforensic techniques deployed by custom developed malware in evading anti-virus detection,” https://arxiv.org/abs/1906.10625, 2019.
  • C. Leka, C. Ntantogian, S. Karagiannis, E. Magkos, and V. S. Verykios, “A comparative analysis of VirusTotal and desktop antivirus detection capabilities,” 2022 13th International Conference on Information, Intelligence, Systems & Applications (IISA), 2022.
  • M. Denis, C. Zena, and T. Hayajneh, “Penetration testing: Concepts, attack methods, and defense strategies,” 2016 IEEE Long Island Systems, Applications and Technology Conference (LISAT), 2016.

Abstract Views: 89

PDF Views: 52




  • A Novel Exploit Traffic Traceback Method Based on Session Relationship

Abstract Views: 89  |  PDF Views: 52

Authors

Yajing Liu
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
Ruijie Cai
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
Xiaokang Yin
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China
Shengli Liu
State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China

Abstract


Vulnerability exploitation is the key to obtaining the control authority of the system, posing a significant threat to network security. Therefore, it is necessary to discover exploitation from traffic. The current methods usually only target a single stage with an incomplete causal relationship and depend on the payload content, causing attacker easily avoids detection by encrypting traffic and other means. We propose a traffic traceback method of vulnerability exploitation to solve the above problems based on session relation. First, we construct the session relationship model using the session correlation of different stages during the exploit. Second, we build a session diagram based on historical traffic. Finally, we traverse the session diagram to find the traffic conforming to the session relationship model. Compared with Blatta, a method detecting early exploit traffic with RNN, the detection rate of our method is increased by 50%, independent of traffic encryption methods.

Keywords


Exploit, Malicious Traffic Detection, Session Relationship, Traffic Analysis.

References