 Reconouncement I'm gonna use laser pointer just a second, and I'm gonna use this screen So those people sitting here, please move either to the center of Rose or to the Right side you prefer to stay there Okay, but I think it depends on how close I am to the mic rather than Okay, so let's start. Thank you for coming for my talk. It's the first talk in the morning So it might be pretty difficult for you to get up early and come here So thank you for showing up The title of my talk is Tira, which is a tool for automatic detection identification and repair of control hijacking attacks I'm Alexey Smirnov, and this is a joint work with trigger chair with my advisor. We are from Stony Brook University Here's the outline of my talk. First I'm gonna give a brief introduction on control hijacking attacks Then I'm gonna talk about the work in the areas of attack detection identification and repair Then I'll present our architecture Dura, which has these three components the attack detection component the attack identification and attack repair component The purpose of attack detection component is to detect a buffer overflow or control hijacking attack so it's similar to the Go of the tools like stack guard and propolis The attack identification component builds up the signature that can be supplied to intrusion detection system So that these attack packets can be filtered out in the future The attack repair component repairs a program and allows to continue its execution as if the attack never happened In the performance evaluation part we're gonna talk about the overheads the random overhand and the compile time overhands of our compiler and They'll conclude with the summary of research contributions and with the directions future work Buffer all flow attacks are the most common type of attacks Computer warms use buffer overflow attacks as a basic build a block for the propagation So as soon as they arrive to a new host they perform a buffer overflow attack hijack control of the underlying program or of the host and Then scan for more vulnerable machines by performing random IP scanning Once they find a new Vulnerable machine they send their body to the new machine and perform the control hijacking attack on that new host a Comprehensive protection strategy should include the phone three components the attack detection component which will detect the control hijacking attack When it happens, that is when the warm tries to get control of the underlying computer The attack identification component is responsible for building the signature of the attack that is for identifying malicious packets and Representing them in the most general form so that polymorphic worms or polymorphic attacks Can be detected by the same signature the attack repair component allows of the compromise program to continue its execution as if the attack never happened that is It should restore the memory image or the environment of the program as it was in the pre attack Time so that the program will think that I'll never if it's never received any attack packets We propose a compiler here is a compiler That instruments programs source code of a program so that the instrumental program can identify Detect and repair itself After a control hijacking attack What is above our old flow attack? Well The idea behind control hijacking attacks is to override a control sensitive data structure Such as the return address function pointer or any other control sensitive data structure By the way, I've got some t-shirts here and books. I'm gonna give them away and I'm gonna ask you questions and Who answers first gets a t-shirt or a book. So here's the first question The return address and the function pointer are two possible types of control sensitive data structure What are other data data structures that a worm or a virus can override that that's what I said function pointer What else? What are you? What do you mean by hip? Well, okay, I got a t-shirt That's what he said probably hip. Okay. That was what I put so the name of the control sensitive data structure is Just word okay any other ideas Okay, for example GOT, which is global offsets table Anyway buffer all flows are possible when the length of the destination buffer is shorter than the length of the data That's been written into it. So whenever you write something that is longer It can override something that is behind this buffer such as return address and that's when the buffer all flow happens Standard leaps the functions such as string CPY or S print f are responsible for most buffer all flow attacks So they're gonna review related working the areas of attack detection identification and repair Stack guard is the first tool for buffer all flow attack detection It works by placing a camera bird in this tech frame and in the function prologue and check this camera bird at function epilogue If the values are different than the taxes happened and the application is terminated Red in is another tool That protects programs for buffer all flow attacks It works by saving the original return errors in a special well-protected buffer at function prologue and Comparise it with the values stored in this tech at function epilogue if the values stored in the protected buffer and in the buffer In the function frame When the function returns are different then an attack is rejected can anyone think of any other tools for attack detection Now snore is common filter engine Okay, I got it You got a T-shirt So let's move to attack identification We need automatic ways for attack identification Because it's very important to generate signatures fast computer warrants infect Vulnerable machines very fast its rate of thousand per minute or maybe tens of thousand per minute Therefore if we wait for a human expert to come up with a signature, which is gonna take a few hours Then the war is gonna Project most vulnerable host on the Internet recent epidemics Propagated at a very very high speed. So it's very difficult for Human expert to come with a signature quickly previous systems for automatic signature generation either Pre-use signatures that consist of only one packet or require the large pool of malicious network data to come up with a comprehensive signature Signature that consists of one packet is sometimes Insufficient because a complex attack can involve multiple packets such as let's say FTP server attack It involves authentic sending out authentication packets and only then sending out the final attack packet a Comprehensive signature should include all attack packets. No, just last one. So here are some some relevant project team check is a tool for It uses the team analysis To generate attack signature and it reports the value of the return address That form used to to hide your control as a signature. So it's only four bytes signature Autograph uses so-called right Arabian fingerprints to To find common sub sequences in a large pool of malicious network data Pull graph and naming also use large pool of malicious data and to use machine learning algorithms to construct a multi packet signature attack repair relies on Checkpointing that is one first check points the program state and Then jumps to previous point in the past to restore programs execution So two approaches here are either keeping complete execution history or do periodic tech checkpointing that is that is to Take a snapshot of the memory image of the program and the second approach relies on a fork system call Which is available under Linux, but might not be available under other operating systems And shadow honey pod project runs two versions of application Instrument that is protected and non-protected and switch between them dynamically When it detects an attack now we move on dear architecture here is a compiler that provides all these three components that detection component at that identification and attack repair component as I said dear is extension to GCC version 3.4.1 currently That it can be used versions as well the idea behind dear is memory omni-slogging and This approach solves all these three problems at the same time So the idea is to maintain a runtime lock of all changes that the program performs Assignments such as a equals b or leapsy functions go such as memcpy change memory state of program and therefore their effects should be saved for example Okay, but we will see some examples there for each memory update dearest tours its source errors its destination address Its length and the pre-image So in the case of the assignment a equals b There's one pointer the Source is the address of variable b because that's where the new data comes from The right address is the edges of a because that's the address that is being written into the length of the data is the size of Type of variable b. So if it's integer it's 4 bytes the pre-image is the old value of a and it's used to restore memory image to the program so the dear compiler Instruments the source code of the program and compile time It adds the login code for variable assignments and for standard library functions at runtime this login code This memory on this log is generated and it's used at repair time to To detect to identify and to repair the attack So how can we detect identifying a parent attack if we have its memory on this log to take an attack We need to compare the current value of return pointer or the return address Saved in the stack frame with the value saved in the memory of this log when we invoke a function We lay out a new stack frame. We save the old return address We save any registers they're used in this function and therefore This is a does it change the memory state of the program Which should be saved in the memory of this look according to our concept Therefore the old value of the return address will be saved in the memory of this look when the function is involved when the function is Returning the this safe value should be compared with the value There's currently on the stack if this two values are different then there's an attack to identify an attack use memory on this log We can trace back the data that's overall the control high the Control sense data structure to the point where it was first received in the program For example through a receive call To repair an attack we need to restore memory in each of the program by using the pre-images That are also safe in the memory of this log. So this idea of keeping the memory of this log of program memory State changes is the essential idea behind our tool And it allows to solve all these three problems of attack detection identification and repair in the same uniform way Memory of this log is a circle buffer each record of this buffer has four fields read address write address length and data Dero saves the effect of each operation of each assignment operation and Such as x equals y where x and y are either directly reference variables and rare references or the reference Variables as I said previously read address set to the address of the right-hand side the right address is set to the address of the left-hand side the length is set to the size of of the Memory update and the data set to the pre-image That stores the data that they're gonna override that is the old value of x If the right-hand side is a complex expression Then a lot great a log record is created for each variable in the right-hand side to handle Memory change performed by standard Library functions here are proxies a few of them such as three manipulation functions form a string functions file network IO functions and other functions change memory state of the program So the proxy function constructs in you memory update of this local record that summarizes the Changes performed by the corresponding Lipsy function and the memory of this local is also used to store tags Which are special records that indicate change to memory to the state of the program For example when the function is invoked function and return to the source and when the function returns function exit tag Insert this text are used at repair and identification time to build up signature and to repair program after an attack So here are a few examples at compile time Let's say there is a statement x equals y plus z So the instrument code the compiler adds to logging calls the first code the effect of variable y the Sorry of variable z the other of the variable y And finally there is this original statement at runtime these two logging calls produce these two log records With the read and write addresses set as I described previously Suppose there is the string CPY code in the source code of the program the direct compiler replaces this code with the proxy function and At the runtime this proxy function insert a log record with the read address of B Because that's where the data is coming from with the write address of a because that's very variety to enter with the length sdr length of B plus one because they're gonna write sdr length of B bytes plus not not terminating character and with the pre-image is a which is the All the value of a the variable the buffer that we replace Now let's talk about the tech detection here uses read like approach that is it saves the original return address when the function is invoked in the first the safe value With the ball of this currently on stack as function epilogue if these two values are different data attack is Here we can protect other control-sensitive data structure such as function pointers God signal handle troubles in a similar function, but it's not implemented. Yes. Now. Let's talk about attack identification So here are the desired properties of an ideal signature a signature should be context a very which means that it should include all the attack packets that participate in given attack and This allows to reuse the rate of false positives It should be also semantics a very that it ideally should incorporate the knowledge about the protocol for example if this is an HTTP attack and The attack request is a get request then the signature should specify it this get so that the Intergent action system can filter out or you just keep all the requests of other types of other protocols and even HTTP But not yet. It should also discard that those packets. It should check the signature only against packets that are HTTP get kind of packets and This also allows to reduce the rate of false positives and the signature to provide a certain degree of flexibility within each packet. So the polymorphic force to change the body as they propagate can be matched using the same signature The attack packets should be represented as regular expressions and That's the desired flexibility the signature should have so as I said These three properties are the desired properties and now let's see how DERA satisfies all those properties. DERA signatures are Kind of severe because they consist of multiple packets. They consist of all packets that an attack consists of And each of those packets is represented as a regular expression And there's a feature called length constraint that allows to limit the attack and part of the packet That is it allows to specify that a terminating character such as now character should occur between offset A and offset B. If the terminating sequence occurs within this offset This is not an attack packet. If there is no such a terminating character In the packet, then this is an attack packet So in some sense this is equivalent to semantics Awareness because it allows to narrow down the part of the packet that That the intrusion detection system search so it doesn't search the specified sequence in the whole packet, but rather this length constraint allows to limit the ordinary down the scope where we search for the Required terminating the string for example, even this is a Same same example if it's a get attack and there's a over the long URL We just terminated by a non-character Here allows to specify that this non-character should occur between the fourth and let's say 20th bit by byte of the packet because the first three characters are get characters and Then the remaining part of the packet is the URL if the terminating character is found in the first 24 bytes of the packet This then this is not an attack and packet if the non-terminating character is not found in the first 24 bytes Then this is an attack packet because the URL is too long memory update slope allows Allows us to construct signatures that consist of multiple packets to represent each packet as a regular expression and to generate a length constraint and they're gonna give an example and We will show how All this functionality is implemented Two types of dependencies exist in the program data and control dependency Data dependency is created when one variable assigned to another for example a equals B same example in this case case a depends on beer a control dependency is created the number variable X and And the variable Y is used I'm sorry variable X used in conditional Expression such as if and Y is in this conditional body. So here's an example in this case Even though there is no direct assignment between X and Y Y depends on X because The value that Y will take depends on the value of X This type of dependency is called is called control dependency no direct assignment But depends is there because value of Y depends on value of X Why we need control the pencil So here's an example FTP server attack involvement authentication Here's an example of vulnerable FTP server Here's the the vulnerable buffer. It has the program has two state variables is authentication ease user And here's the main loop of this server First it receives a packet that it compares the four bytes of the packet if it's quick man The loop breaks if it's user command then ease user variable Say he said to one if it's password command then is used and is user has been said then authentication has been completed and he's Authenticated variable set to one if authentication was not performed previously then the program continues the Client requests are handled only in the case when the author if the authentication has been completed previously So if the user is authenticated then the program checks the first three bytes of the packet if it's get packet then there's a get request and process it returns a file that the user Quests, but this request is only processed if the user has previously authenticated So these are the three packets using the deck There is a URL. I'm sorry. There was a file name. That is too long and that's overrides buffer That's overrides this buffer, which is only 16 characters bytes long Let's look at work records generated at runtime first there is a look record here receive for the receive function for the Proxy function proxies standard receive call and it has this tag Here's the deck. This is the right address. That is that that's the destination but network data is written into The length in the thanks and Here's also the image of the data that varies from that break. Then there's a proxy function for str and cmp Which also has the Right, I'm sorry. That's it's Read address of the variable for is the length of the argument Those are this record specifies indicates that the research Buffer P and the look at first four bytes of this buffer then This record is created for conditional expression and it means that variable P participates in the if expression So for every variable in the if expression we save this variable into memory and this log and this is also this is the record for The statement that updates easier easier variable So in this case the read address set now because we don't know where the data That is written into easy user comes from and it count is just a constant So the right address is easier the length is four and easy user is pre-image Similarly for the second packet. We have the receive record here. We have the string comparison record the checks the first four bytes of the packet we have two conditional variables now because Two variables are checked P and ease user and finally this this is the record that updates the ease authentication variable So finally look this let's look at the third packet. So we also have a record When the packet is received then We also have the conditional record for variable ease authenticate Then there is the record for string comparison at the check the first three bytes of the packet then there is the conditional record for P and finally this is the record and this was created by string CPY proxy function And it describes the fact that the data from buffer Here. I'm sorry data from buffer P plus 4 was written into buffer and The length of the update is as general length of P minus 4 plus 1 Because all bytes of P except the first four bytes were copied into buffer buff And we also save the pre image of P So this is summary these are all log records that are generated at runtime when the server attack is execute and Suppose that the return address is located after the buff Variable that is the return errors is saved at the offset buff plus 17 buffer is a buffer of 16 bytes So the return address is saved at the offset 17 Now let's see how we can detect the control hijack and attack using this memory on this log So we start with look record with the last rock record that over all that's overall this buffer and Here's it's right either errors So we look for the source of this data That is we try to find out where the data came from and this look right at the answer to include this data came from P Return errors was saved at the offset buff plus 17 Therefore the data was read from the offset P plus 4 plus 17, which is P plus 21 That is the return errors value came from memory address P plus 4 plus 17, which is P plus 21 So this is the new errors they will look for now we search memory on this log for the address P plus 21 And if it's reversed this log record this memory of this log upward we can find that there is this receive record that read Data from network into buffer P and the links was 62 and we'll look for memory Memory location with the address P plus 21 and this is the record that has written Data from network into that memory location. So we conclude that here is the Read operation the thread data from network and wrote it into address P plus 21 and Because this is the operation that read data from network. We conclude that this is the Attack and packet so this way we identify the first attack and packet Is it the only packet in the attack? Probably not because the user first only process if the user has authenticated So we need to continue our search and try to find more attack and packets Sure Well debugging is not automatic our tool is completely automatic. It doesn't go out any user moment at all So the process of the desktop here is completely authentic Automatic it's performed by our program not by user not manually. It's not log analysis performed by human expert It's log analysis performed automatically You are right. Now, that's the question of our performance evaluation. We will we will get to this question later And if I don't give it a clear answer I'll talk to you offline So as I said previously, we were able to identify the first attack and packet and now we look for more attack and packets And here's where we use conditional dependencies Let's look at the first memory update statement if we go upward We can see that this statement depends on two conditions that is it's inside two outer if statements The first if statement checks p variable and the the second checks is authenticate variable Therefore this memory update was only possible because of these two checks that involve these two variables variable p is Has been found before before so this record should be discarded Whereas this variable is authenticated should be used for later search So we continue with variable is authenticated and they try to find out whether this variable depends on network packet or not So if you continue traversing the lock upward, you can see this memory updates lock operation And the read address of this operation is unknown because this variable was assigned to a constant therefore, we should again use condition dependencies to find out What our variable is authenticated depends on and we can see two conditional lock records is user and p here Which means that variable is authenticated if authenticated depends conditionally on is user and p So we now look for p and is user we can find p here Therefore we include the variable is user depends on network packet that contains password and this turn turns out to be true because variable p Is set only if the user if the attacker sends password packet That variable is user also depends So a variable is authenticated also depends on is user so we continue with this variable is user and they can find it here This is the memory of this lock operation that sets variable is user its readers is also unknown because it's set to constant Therefore, we should again use control control dependencies to find out whether variable is user depends on any network packets and Once again, we can see this condition expression that uses variable p Therefore we now search for variable p try to find out whether it depends on any network data and It turns out to be true variable p contains the packet payload of the user command So what we can see now we have found three attack packets and So the get packet pass packet user packet The first packet was found using direct dependencies. The remaining two packets were found using control dependencies So the control events are really important to link the first attack and packet to the all the remaining attack and packets Because of this state variables were used in network demons Well, this is just our assumption Well, the real value of the return errors is returned by the attack detection component Well, this is a tech identification. The attack detection component tells you which data structure was damaged So it tells you the return the address of the compromised data structure, which in our case is the return errors So this assumption I just made it up But this address is always known at runtime Let's now give a precise definition of control dependencies We say that The number variable x can prevent control flow from reaching variable y and control depends is created between x and y Let's look at these examples here the left-hand side example Shows an if condition in this case statement one and two depend on condition the savings free to end do not depend on Condition because they will be reached no matter What's the value of variable cond is however if you look at the right-hand side? Then one of these branches here this branch has a return and Therefore if condition E Take such a value that these branches taken then the functional return and savings three to n do not be executed Therefore statement three to n depend conditionally on on variable con So whenever a variable condition variable can prevent certain states from executing those things become depend on the conditional variable Conditional depends can also be created for while and for loops as well So we've talked about how to find all the attack packets now Let's talk about how to represent the attack packets as regular expressions for each bite of the attack packet and it determines whether it was looked at or not non looked at that is Looked at bytes are those that are important to program That is device of the program makes control decision on based on non looked bytes are those that are not important That is they can take any values The bites that they were not looked at are represented as wild cards in the signature file Because the program doesn't care about them. They looked at bytes are presented as they appear in the attacking signature in the attacking packets For example string comparison function compares certain certain bytes of the packet we Let's say control birds such as get word or password or user user keyword and therefore by that match with the These keywords are important to the program Because if those bites are picked up a different the program wouldn't proceed the way it actually proceeded and the tech could not happen dear traversed log forward from where the packs were received to to the end of the log and Detects the bytes they were looked at by the program And as I said previously those by that we looked at our output is ease and no look bites are out with discussion marks So here's an example That's our example once again. So here's the receive record here's the string comparison function the compares first four bytes of the Network packet therefore user This keyword becomes important to the program if this was not user Let's say if that was quick command then the program existed Therefore this user bytes are important to the program So we can conclude the same about password and get bytes But let's look at the last record Even though program manipulates records of the p-buffer Those bytes are manipulated blindly that's program doesn't make any control decisions based on the values of those bytes Therefore, even though they were copied by the program They were because they touched by the program the program didn't make any control decisions based on those bytes Therefore, they are not important to the program and they can be dumped as question marks in the signature file and Here's a length constraint. So here's our network packet And here's the stack and this is return address that was overridden by the attack And that this is the memory updates operation that overwrote the return errors So the identification part of Dira determines the extent of the stack frame that was overridden by the by the attacker and Registration the pre-image using this trace back procedure. It builds up the pre-image of this memory update in the network packet So this big white dot is the pre-image of return address and this is the terminating character So there is the last character of the attacking part of the packet in our cases now now character if we trace it back to the network packet We can assume that this is a new line character So the length constraint should specify that the terminating character should occur between The beginning of this gray area until the pre-image of the return address if this terminating character occurred here then the Memory update operation wouldn't touch return address. It would stop earlier. However, since the return the terminating character was not found there the control hijacking attack occurred So the length constraint limits the attacking part of the packet which is this gray part By specifying the terminating character and the maximum offset in our case This is the pre-image of the return address Where this terminating character should occur? Here's the format of the Dira signature file First comes the number of packets then the length of the current packet then the regular expressions that represents the packet and For the last attacking packet we specify the length constraint that limits the length of the attacking part of the packet Here's the signature for our example. We have three packets. Here's the length of the first packet 11 This is the representation of the packet as a regular expression The first four bytes are important to the program because program used them in string comparison function The rest of this packet is not important and it's represented as question marks The second packet is his length 12 and it's represented as password followed by question marks So once again, these bytes were analyzed by the program the remaining part It was used by the program blindly program didn't care about it. And here's the last packet the Length is 62 the packet is get followed by question marks Once again get was analyzed by the program using string comparison function. The filing came contained here was not analyzed Even though program fetched file using this file name or at least try to fetch it the bytes That that build up this file name were not analyzed by the program The program didn't make any control control for decisions based on those bytes Therefore these bytes are represented as question marks in the signature. They are not important So any while in the user or pass We'll be good enough for the attacker Because that's not true in practice because there are like authentication databases password files stuff of that bad it For example, it's a case that the byte the full user pass and get commands are not important for our program the length of string specifies that starting from byte 4 to byte 17 there should be no character if this not really is found This is not an attack impact if the skirt is not found then the return address is overridden because it's stored at the offset 17 Now let's talk about attack recovery attack recovery brings a program to the state in which it was before the attack back It's very safe. So You're right. That's what we need proxy functions for dear proxy functions. Take care of this kind of Special cases proxy function creates memory on this look that summarizes the effects of the original leapsy function call So two questions are involved with attack recovery first how to restore the pre attack state second How from which point to execute to get to resume execution? the Pre-attack state is restored by restoring memory of this memory image of the program using the information stored in the memory on this log this pre-images stored in the memory on this log The restart point is found In the following way We use the least dynamic the least common dynamic assessor all the function in which the attack was detected in the function in which data was read in and the following example illustrates why This is the the proper function. So here's the function where the data was read in Here's the function when the where the deck was detected. We can restart execution only from function f1. Why because The ex-news flow returned from function f3 to f2 to f1 Then turn to f4 and f5 and it was while it was in f1. It would change the local state of function f1 it would change its local variables and didn't know that we don't keep the Memory Memory state change the effects of memory state change of local variables in this mode because it becomes too expensive We record or we save the effect only of the global variable changes in this mode in the mode when the support recovery and Therefore if we changed the the local variables function f1 We couldn't recover them and we have to restart function f1 from the begin and the same time function f0 was not changed The control flow didn't go there When the when it's reversed from f3 to f5 therefore the local state of function f0 is the same as it was before Therefore we can restart execution from function f1 here which is the least common dynamic assessor of The function where the data was read in in the function bearer the attack occurred and there's a memory on this log and There's now written the last one to find the least common dynamic assessor of the two functions But I don't want to go into the details of this So this slide summarizes the algorithm for finding their start point We don't use any specific operating system features for this but rather to use long jump and send-jump functions before each function call we insert the send-jump call which saved the Valor of the stack pointer and allows to continue the execution by form long jump call using that buffer So this set-jump calls are set in front of each function in location We never want to start execution from a specific function. We just perform long jump using that set-jump point Now we move to performance evaluation and hopefully well this Dera proxy functions take care of this They are responsible for keeping for saving any side of sites effects of library calls or any other You know Calls performed at the program So for each socket read with a socket open socket close There should be proxy function that summarizes the effect of this operation and Saves it in memory on this log and at the repair time this Long record we were processed by the repair procedure and the repair procedure will undo the effect of the You know socket open socket close if it's second socket open then it will close If it's socket closed then the reopen socket so so this is why we need proxy functions Okay, we had five programs and for three of these programs. We had exploit Which we now look from public exploit database. Can anyone name any exploit databases? That's a question for a t-shirt or football. Yes Yes Okay Any other exploit databases? publicly available Come on your hackers What's that? Okay, one more hand there Who read okay? Excellent. What's your answer? Hector Like a storm doesn't have exploit it does Okay so our performance evaluation had two goals in mind first wants to find out the Random overheads and the quality of automatically the random overheads the second goal was to find out the quality of automatically generated signatures So in our configuration, we had server vision We had a few client machines and we used exploit from security him and from insecure that work which are two publicly To two public available sites to contain exploits So here's the graphs that describe the Performance overheads so the problem that overhead can be as high as 70% Which you think prevents our system from being deployed on client machines That we think that our machine can be deployed as a high path as a special dedicated server the trust the instrument programs and catch all attack attempt and on the right hand side you can see the This is the Percentage the breakdown of the type of the log record They were saving the memory on this log These are the signatures that were generated for the three exploits that we had So we had this ghttpd Attack ghttp is an HTTP server. The name D is a DNS server, which is part of the bind program and They are caddys remote caddiemum So it's 70% Sound yeah, so here the programs this is the Well, we compared the original non-instrument program. We we had Several clients regret like the nine client requests and we ran this request against non-instrument program and against instrument program and we measured throughput So that's the difference in throughput. This is the throughput. There's number of requests processed So this 70% number is the difference in number of requests then the instrument non-instruments program can handle Well, uh, I mean us No, we had a server mission. We had a few client machines Okay, I'd like to take this offline So let's look at signatures the first signature is the signature that has only one attack packet So this length of packet. This is the packet that represents the regular expression This is less constrained. It's pretty much the same as the signature that we constructed in our example This is the bind signature signature for DNS Demon One packet. That's a length. There's a length constraint Remote caddiemum had a signature that That consists of three packets because this caddiemum requires either the authentication so here we can see user packet password packet the length constraint and the Yes, the and the last packet All the signatures will generate automatically from a single attack instance Now let's talk about the recovery. Is it really useful? The overhead is pretty high at 70% maybe we can do well without recovery and we think the recovery is really useful because Many programs are single thread and they are like event driven and if you just terminate the program then you Disconnect all the clients. So you have only one bad client You have let's say doesn't have good clients you disconnect one bad and just doesn't good which is very bad for good clients and The same attack can reveal the future and therefore the attacker can implement the denial source attack If you simply terminate the program Instead of recovering if you recover it then repair the effect of the bad guy that you allow good guys to continue their execution And the same tradeoff exists in the case of source code analysis tools whenever you You have a bug if you Use static code analysis tool then they first need to find out this bug And these tools are prone to false positives So we need to determine whether it's a false possible real bug if it turns out to be a real bug Then you have to come with the fix you have to upload this patch patch to the developer site Developer has to verify this patch. So it's also length of process and it was a lot of human expertise So there is the same tradeoff you either invest in amount of runtime as we do or you invest in amount of developers time Which is probably more expensive Now we arrive at the conclusion Dira is the first season that solves the problems of the detection identification and appear in a unified way Using memory on this log it can produce accurate multi-packet signatures from a single attack instance Which you believe is a big achievement because all the previous systems either reported last attack in spaget or they required a large pool of network data to generate an accurate signature multi-packet signature Dynamics license of the memory on this log is the underlying technique behind our tool and it's a well-known Tuning from programming languages, but I think we just found some cool applications for this program languages technique and We plan to apply the same technique in the future to generate patches for buffer or flow attacks This is what the working on be a plan to work in the next few months Our tool is available for download. Please visit our website and Download it and play with it. So if you find bugs worry if you have any Experiences to share it. Please mail me and I'll be happy to answer you. Thank you. I have one book one question I'm sorry well Well, our program generates a signature whenever an attack happens it doesn't Use history doesn't look for previous packets. It doesn't analyze them So whenever you perform an attack a signature will be generated So the question is whether the signature will be different from previously generated signatures or not And I think the answer is yes, because if the length is different then the Regular expressions will also be different. Yes, this is a kind of now source attacks attack But we think it's like more lightweight than complete program restart because a complete program starts disconnects on clients All benign clients and recovery doesn't disconnect anybody except attacker and therefore the benign clients will be able to perform The requests slower than when the program runs normally, but at least they won't be disconnected Which is people if it's pretty good Remember I'll just look at the circle buffer. Yes, the log records are used constantly and Previous records are freed up when the records about to be used. Yes Okay, thank you very much