bufSTAT - A Tool for Early Detection and Classification of Buffer Overflow Attacks

S. Radosavac, K. Seamon and J. S. Baras

First International Conference on Security and Privacy for Emerging Areas in Communication Networks, Athens, Greece, September 5-9 , 2005.

Abstract

Buffer overflows constitute by far the most frequently encountered class of attacks against computer systems. In this paper we introduce a tool, termed bufSTAT that achieves a low probability of false alarm and issues early attack warnings. BufSTAT relies on Finite State Machines (FSM) for attack modeling and can detect every stage of an ongoing attack and can thus prevent its execution by issuing early warning in a progressive manner. It can also detect sophisticated multi-stage attacks that are executed over long periods of time. A significant attribute of our approach is that it is amenable to detecting unknown attacks as well after appropriate modification of bufSTAT.