On the Detection of Exploitation of Vulnerabilities Leading to the Execution of a Malicious Code

Software protection from exploitation of possible unknown vulnerabilities can be performed both by searching (for example, using symbolic execution) and subsequent elimination of the vulnerabilities and by using detection and / or intrusion prevention systems. In the latter case, this problem is usually solved by forming a profile of a normal behavior and deviation from normal behavior over a predetermined threshold is regarded as an anomaly or an attack. In this paper, the task is to protect a given software P from exploiting unknown vulnerabilities. For this aim a method is proposed for constructing a profile of the normal execution of the program P, in which, in addition to a set of legal chains of system and library functions, it is proposed to take into account the distances between adjacent function calls. At the same time, a profile is formed for each program. It is assumed that taking into account the distances between function calls will reveal shell code execution using system and / or library function calls. An algorithm and a system for detecting abnormal code execution are proposed. The work carried out experiments in the case when P is the FireFox browser. During the experiments the possibility of applying the developed algorithm to identify abnormal behavior when launching publicly available exploits was investigated.

Intrusion Prevention System

In the last decade, there is a rapid growth in the use of Internet by the organization for information sharing. As information is very vital to the organizations, it should be preserved and insulated from any unauthorized access or alternation. In last few years, attacks on the computer infrastructures have increased exponentially. Several information security techniques are available now a days like firewalls, anti-virus software and Intrusion prevention systems (IPSs), which are important tools for protecting an organization from intrusions. Now most attacks are impossible to defend with firewalls and anti-virus software alone. Without an IPS, such attacks are difficult to detect and prevent. This chapter presents different definitions of intrusion prevention system with meaningful explanation; compare network IPS with Host IPS, common and the advanced detection methods, common IPS components, coverage of attacks by IPS and criteria to select right IPS. Finally, this chapter concludes with an analysis of the challenges that still remain to be resolved.

Wi-Fi Security Dedicated Architectures

This article will emphasize architectures that were designed due to the new business generated by wireless infrastructures. First, authentication issues of wireless users in “hot spot” - also called “captive portal” - architectures will be discussed. Lastly, recent architectures such as WIDS/WIPS (Wireless Intrusion Detection Systems/Wireless Intrusion Prevention Systems) aiming at detecting any malicious wireless activity will be detailed.

Towards Industrial Intrusion Prevention Systems: A Concept and Implementation for Reactive Protection

System intrusions violate the security of a system. In order to maintain it, it is necessary to decrease the chances of intrusions occurring or by detecting them as soon as they ensue in order to respond to them in a timely manner. These responses are divided in two types: passive or reactive responses. Passive responses are limited to only notification and alerting; whereas, reactive responses influence the intrusion by undoing or diminishing its consequences. Unfortunately, some reactive responses may influence the underlying system where the intrusion has occurred. This is especially a concern in the field of Industrial Automation Systems, as these systems are critical and have a well-defined set of operational requirements that must be maintained. Hence, automatic reactive responses are often not considered or are limited to human intervention. This paper addresses this issue by introducing a concept for reactive protection that integrates the automatic execution of active responses that do not influence the operation of the underlying Industrial Automation System. This concept takes into consideration architectural and security trends, as well as security and operational policies of Industrial Automation Systems. It also proposes a set of reactive actions that can be taken in the presence of intrusions in order to counteract them or diminish their effects. The feasibility and applicability of the presented concept for Industrial Automation Systems is supported by the implementation and evaluation of a prototypical Reactive Protection System.