Please use this identifier to cite or link to this item:
Title: WeXpose : towards on-line dynamic analysis of web attack payloads using just-in-time binary modification
Authors: Bellizzi, Jennifer
Vella, Mark Joseph
Keywords: Computer-aided engineering
Computer security
Data protection
Issue Date: 2015
Publisher: IEEE
Citation: Bellizzi, J., & Vella, M. (2015, July). Wexpose: Towards on-line dynamic analysis of web attack payloads using just-in-time binary modification. In 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE), France. 5-15.
Abstract: Web applications constitute a prime target for attacks. A subset of these inject code into their targets, posing a threat to the entire hosting infrastructure rather than just to the compromised application. Existing web intrusion detection systems (IDS) are easily evaded when code payloads are obfuscated. Dynamic analysis in the form of instruction set emulation is a well-known answer to this problem, which however is a solution for off-line settings rather than the on-line IDS setting and cannot be used for all types of web attacks payloads. Host-based approaches provide an alternative, yet all of them impose runtime overheads. This work proposes just-in-time (JIT) binary modification complemented with payload-based heuristics for the provision of obfuscation-resistant web IDS at the network level. A number of case studies conducted with WeXpose, a prototype implementation of the technique, shows that JIT binary modification fits the on-line setting due to native instruction execution, while also isolating harmful attack side-effects that consequentially become of concern. Avoidance of emulation makes the approach relevant to all types of payloads, while payload-based heuristics provide practicality.
Appears in Collections:Scholarly Works - FacICTCS

Files in This Item:
File Description SizeFormat 
  Restricted Access
236.66 kBAdobe PDFView/Open Request a copy

Items in OAR@UM are protected by copyright, with all rights reserved, unless otherwise indicated.