Obfuscation-resistant, code-injection detection at the network level

Abstract

Code-injection attacks are a type of attack, which enable an attacker to disguise executable attack payloads as data inside a program's input, with the intent of injection into the target's memory space resulting in control flow hijacking. Web servers constitute high risk targets to such attack payloads due to a vulnerable web service or web application that is currently running on the web server. Static analysis is a form of detection, which detects such payloads depending on whether or not they match a specific pattern. Obfuscation is a technique, used by attackers, which conceals an attack payload within an HTTP request, for example by encoding it, to change its structure but not its behaviour. Due to obfuscation, a technique based on static detection, would be futile. The aim of this project is to complement static analysis with dynamic analysis, which could be utilised to enable better detection of such attack payloads, in order for them to be detected even if they are concealed. To this end, we propose a solution whereby candidate attack payload strings are extracted from HTTP requests and their execution is safely emulated inside a sandbox, to detect the presence of executable code which would indicate a potential attack payload. Furthermore a behaviour matching mechanism is applied to identify an attack solely based on its behaviour, which is not mutated by a payload's structure. Finally, we propose a separate component to enable faster detection, for time efficiency. The results obtained show that dynamic analysis, although more time consuming, is able to detect such attacks, even if they are encoded or concealed in some way, unlike standard static analysers. Our solution ensures safe execution of potential attack pay load strings; i.e. in case of an attack, the detector, would still be able to function. We conclude as well that based on its behaviour, an attack can be identified, as its behaviour remains the same regardless of any encoding used. Finally our results demonstrate that when the optimized approach was used, for time efficiency, it yielded better results with regards to time and was able to detect code-injection attacks at both the infrastructure and application level