Network-level polymorphic shellcode detection using emulation
作者: Michalis Polychronakis , Kostas G. Anagnostakis , Evangelos P. Markatos
DOI: 10.1007/S11416-006-0031-Z
关键词: Obfuscation (software) 、 Code injection attacks 、 Evasion (network security) 、 Shellcode 、 Instruction sequence 、 Computer science 、 Heuristic 、 Computer security 、 Emulation 、 Network level
摘要: Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such polymorphism and metamorphism defeat these defenses. A major outstanding question security research engineering is thus whether we can proactively develop tools needed contain advanced polymorphic metamorphic attacks. While results have promising, most of existing proposals be defeated using only minor enhancements vector. In fact, some publicly-available shellcode engines currently one step ahead publicly-documented network-level detectors. this paper, present a heuristic method that scans traffic streams for presence previously unknown shellcode. contrast previous work, our approach relies on NIDS- embedded CPU emulator executes every potential instruction sequence inspected traffic, aiming identify execution behavior Our analysis demonstrates proposed robust obfuscation like self-modifications compared proposals, but also highlights evasion need closely examined satisfactory solution problem.
springer.com
sci-hub.se 参考文章(44)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Thomas Toth, Christopher Kruegel, Accurate buffer overflow detection via abstract payload execution recent advances in intrusion detection. pp. 274- 291 ,(2002) , 10.1007/3-540-36084-0_15
Matias Madou, Bertrand Anckaert, Patrick Moseley, Saumya Debray, Bjorn De Sutter, Koen De Bosschere, Software protection through dynamic code mutation workshop on information security applications. ,vol. 3786, pp. 194- 206 ,(2005) , 10.1007/11604938_15
Oleg Kolesnikov, Wenke Lee, Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Georgia Institute of Technology. ,(2005)
K. G. Anagnostakis, K. Xinidis, A. D. Keromytis, E. Markatos, S. Sidiroglou, P. Akritidis, Detecting targeted attacks using shadow honeypots usenix security symposium. pp. 9- 9 ,(2005) , 10.7916/D8WM1PS8
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Fabrice Bellard, QEMU, a fast and portable dynamic translator usenix annual technical conference. pp. 41- 41 ,(2005)
P. Akritidis, E. P. Markatos, M. Polychronakis, K. Anagnostakis, STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis information security conference. pp. 375- 391 ,(2005) , 10.1007/0-387-25660-1_25
Tzi-cker Chiueh, Manish Prasad, A Binary Rewriting Defense Against Stack based Buffer Overflow Attacks. usenix annual technical conference. pp. 211- 224 ,(2003)
Jack Davidson, John Knight, Jonathan Hill, Chenxi Wang, Software Tamper Resistance: Obstructing Static Analysis of Programs University of Virginia. ,(2000)