ATTACK-RESISTANT VERIFICATION OF AUTO-GENERATED ANTI-MALWARE SIGNATURES

US 20100175132A1
Filed: 01/05/2009
Published: 07/08/2010
Est. Priority Date: 01/05/2009
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor;

a memory; and

an intrusion prevention application, which, when executed by the processor is configured to verify anti-malware signatures by performing an operation, comprising;

detecting a first attack on a server application executing on the system,determining a candidate payload being processed by the server application contemporaneous to the detected attack,generating a provisional signature corresponding to the first attack,upon determining a first payload addressed to the server application matches the provisional signature, monitoring the effects of the first payload when processed by the server application, andupon determining that processing the first payload results in a second attack on the server application, increasing a confidence metric associated with the provisional signature.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are disclosed for verifying whether payload signatures correspond to a vulnerability or exploit. Generally a security system may be configured to detect an attack on a server while the server is processing a payload. The security system generates (or obtains) a provisional signature corresponding to the vulnerability. For example, a provisional signature may be generated for a vulnerability from a group of payloads determined to correspond to that vulnerability. The effects of subsequent payloads which match the provisional signature may be monitored. If the effects of a payload duplicate the attack symptoms, a confidence metric for provisional signature may be increased. Once the confidence metric exceeds a predetermined threshold, then the provisional signature may be made active and used to block traffic from reaching an intended destination.

Citations

21 Claims

1. A system, comprising:
- a processor;
  
  a memory; and
  
  an intrusion prevention application, which, when executed by the processor is configured to verify anti-malware signatures by performing an operation, comprising;
  
  detecting a first attack on a server application executing on the system,determining a candidate payload being processed by the server application contemporaneous to the detected attack,generating a provisional signature corresponding to the first attack,upon determining a first payload addressed to the server application matches the provisional signature, monitoring the effects of the first payload when processed by the server application, andupon determining that processing the first payload results in a second attack on the server application, increasing a confidence metric associated with the provisional signature.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the operation further comprises:
    - upon determining the confidence metric associated with the provisional signature matching the first payload exceeds a predetermined threshold, storing the provisional signature a verified anti-malware signature; and
      
      upon determining a second payload intended for the server application matches the verified anti-malware signature, blocking the second payload from being processed by the server application.
  - 3. The system of claim 1, wherein the operation further comprises:
    - upon determining a second payload intended for the server application matches the provisional signature, monitoring the effects of the second payload when processed by the server application; and
      
      upon determining that processing the second payload does not result in an attack on the server application, discarding the provisional signature.
  - 4. The system of claim 3, wherein the operation further comprises:
    - caching the discarded provisional signature; and
      
      monitoring for a denial of service (DOS) attack resulting from receiving a plurality of payloads matching the discarded provisional signature.
  - 5. The system of claim 1, wherein the first attack comprises a buffer overflow.
  - 6. The system of claim 1, wherein the first attack comprises shell code configured to exploit a vulnerability of the server application which allows an attacker to cause the application server to execute the shell code on the processor.
  - 7. The system of claim 6, wherein the shell code is delivered to the server application as an HTTP argument.
  - 8. The system of claim 1, wherein the confidence metric provides a measure of confidence that the payload corresponding to the provisional signature carries an intended attack on the server application.
  - 9. The system of claim 1, wherein determining that processing the first payload results in the second attack on the server application comprises:
    - comparing a stack state and an execution path of the server application following processing the first payload with a comparable stack state and execution path of the system following the first attack; and
      
      identifying a match between the stack state and the execution path and the comparable stack state and the execution path.

10. A method to generate and verify anti-malware signatures, comprising:
- detecting a first attack on a server application on a host system, wherein the host system executes an intrusion prevention application and the server application;
  
  determining a candidate payload being processed by the server application contemporaneous to the detected attack;
  
  generating a provisional signature corresponding to the first attack;
  
  upon determining a first payload intended for the server application matches the provisional signature, monitoring the effects of the first payload when processed by the server application; and
  
  upon determining that processing the first payload results in a second attack on the server application, increasing a confidence metric associated with the provisional signature.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, further comprising:
    - upon determining the confidence metric associated with the provisional signature matching the first payload exceeds a predetermined threshold, storing the provisional signature a verified anti-malware signature; and
      
      upon determining a second payload intended for the server application matches the verified anti-malware signature, blocking the second payload from being processed by the server application.
  - 12. The method of claim 10, further comprising:
    - upon determining a second payload intended for the server application matches the provisional signature, monitoring the effects of the second payload when processed by the server application; and
      
      upon determining that processing the second payload does not result in an attack on the server application, discarding the provisional signature.
  - 13. The method of claim 12, further comprising:
    - caching the discarded provisional signature; and
      
      monitoring for a denial of service (DOS) attack resulting from receiving a plurality of payloads matching the discarded provisional signature.
  - 14. The method of claim 10, wherein the first attack comprises a buffer overflow.
  - 15. The method of claim 10, wherein the first attack comprises shell code configured to exploit a vulnerability of the server application which allows an attacker to cause the application server execute the shell code on host system.
  - 16. The method of claim 10, wherein determining that processing the first payload results in the second attack on the server application comprises:
    - comparing a stack state and an execution path of the server application following processing the first payload with a comparable stack state and execution path of the system following the first attack; and
      
      identifying a match between the stack state and the execution path and the comparable stack state and the execution path.

17. A computer-readable storage-medium containing a program which, when executed, performs an operation to generate and verify anti-malware signatures, the operation comprising:
- detecting a first attack on a server application on a host system, wherein the host system executes an intrusion prevention application and the server application;
  
  determining a candidate payload being processed by the server application contemporaneous to the detected attack;
  
  generating a provisional signature corresponding to the first attack;
  
  assigning a confidence metric to the provisional signature;
  
  upon determining a first payload intended for the server application matches the provisional signature, monitoring the effects of the first payload when processed by the server application; and
  
  upon determining that processing the first payload results in a second attack on the server application, increasing a confidence metric associated with the provisional signature.
- View Dependent Claims (18, 19, 20, 21)
- - 18. The computer-readable storage-medium of claim 17, wherein the operation further comprises:
    - upon determining the confidence metric associated with the provisional signature matching the first payload exceeds a predetermined threshold, storing the provisional signature a verified anti-malware signature; and
      
      upon determining a second payload intended for the server application matches the verified anti-malware signature, blocking the second payload from being processed by the server application.
  - 19. The computer-readable storage-medium of claim 17, wherein the operation further comprises:
    - upon determining a second payload intended for the server application matches the provisional signature, monitoring the effects of the second payload when processed by the server application; and
      
      upon determining that processing the second payload does not result in an attack on the server application, discarding the provisional signature.
  - 20. The computer-readable storage-medium of claim 19, wherein the operation further comprises:
    - caching the discarded provisional signature; and
      
      monitoring for a denial of service (DOS) attack resulting from receiving a plurality of payloads matching the discarded provisional signature.
  - 21. The computer-readable storage-medium of claim 17, wherein determining that processing the first payload results in the second attack on the server application comprises:
    - comparing a stack state and an execution path of the server application following processing the first payload with a comparable stack state and execution path of the system following the first attack; and
      
      identifying a match between the stack state and the execution path and the comparable stack state and the execution path.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Ruchansky, Boris, Cherepov, Mikhail, ZAWADOWSKIY, ANDREW

Granted Patent

US 8,474,044 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/564   by virus signature recognition

H04L 2463/141   Denial of service attacks a...

H04L 63/1408   by monitoring network traff...

ATTACK-RESISTANT VERIFICATION OF AUTO-GENERATED ANTI-MALWARE SIGNATURES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

ATTACK-RESISTANT VERIFICATION OF AUTO-GENERATED ANTI-MALWARE SIGNATURES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links