Emulation-based detection of non-self-contained polymorphic shellcode
作者: Michalis Polychronakis , Kostas G. Anagnostakis , Evangelos P. Markatos
DOI: 10.1007/978-3-540-74320-0_5
关键词: Embedded system 、 Emulation 、 Polymorphic code 、 Detector 、 Class (computer programming) 、 Computer science 、 Throughput (business) 、 Real-time computing 、 Shellcode 、 Heuristic (computer science) 、 False positive paradox
摘要: Network-level emulation has recently been proposed as a method for the accurate detection of previously unknown polymorphic code injection attacks. In this paper, we extend network-level along two lines. First, present an improved execution behavior heuristic that enables certain class non-self-contained shellcodes are currently missed by existing emulation-based approaches. Second, generic algorithmic optimizations improve runtime performance detector. We have implemented prototype technique and evaluated it using off-the-shelf shellcode engines benign data. The detector achieves modest processing throughput, which however is enough decent on actual deployments, while not produced any false positives. Finally, report attack activity statistics from seven-month deployment our in production network, demonstrate effectiveness practicality approach.
springer.com
forth.gr
sci-hub.st 参考文章(28)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Thomas Toth, Christopher Kruegel, Accurate buffer overflow detection via abstract payload execution recent advances in intrusion detection. pp. 274- 291 ,(2002) , 10.1007/3-540-36084-0_15
K. G. Anagnostakis, K. Xinidis, A. D. Keromytis, E. Markatos, S. Sidiroglou, P. Akritidis, Detecting targeted attacks using shadow honeypots usenix security symposium. pp. 9- 9 ,(2005) , 10.7916/D8WM1PS8
Fabrice Bellard, QEMU, a fast and portable dynamic translator usenix annual technical conference. pp. 41- 41 ,(2005)
P. Akritidis, E. P. Markatos, M. Polychronakis, K. Anagnostakis, STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis information security conference. pp. 375- 391 ,(2005) , 10.1007/0-387-25660-1_25
James Newsome, Brad Karp, Dawn Song, Paragraph: Thwarting Signature Learning by Training Maliciously Lecture Notes in Computer Science. pp. 81- 105 ,(2006) , 10.1007/11856214_5
Udo Payer, Peter Teufl, Mario Lamberger, Hybrid engine for polymorphic shellcode detection international conference on detection of intrusions and malware and vulnerability assessment. pp. 19- 31 ,(2005) , 10.1007/11506881_2
Holger Dreger, Christian Kreibich, Vern Paxson, Robin Sommer, Enhancing the accuracy of network-based intrusion detection with host-based context international conference on detection of intrusions and malware and vulnerability assessment. pp. 206- 221 ,(2005) , 10.1007/11506881_13
Ke Wang, Janak J. Parekh, Salvatore J. Stolfo, Anagram: A Content Anomaly Detector Resistant to Mimicry Attack Lecture Notes in Computer Science. pp. 226- 248 ,(2006) , 10.1007/11856214_12
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, Automated worm fingerprinting operating systems design and implementation. pp. 4- 4 ,(2004)