A Data Mining Technique to Detect Remote Exploits

This paper designed and implemented DExtor, a Data Mining based Exploit code detector, to protect network services. The main assumption of the work is that normal traffic into the network services contain only data, whereas exploit code contains code. Thus, the "Exploit code detection" problem reduces to "Code detection" problem. DExtor is an application-layer attack blocker, which is deployed between a web service and its corresponding firewall. The system is first trained with real training data containing both exploit code, and normal traffic. Training is performed by applying binary disassembly on the training data, extracting features, and training a classifier. Once trained, DExtor is deployed in the network to detect exploit code and protect the network service.