Free Online Productivity Tools
i2Speak
i2Symbol
i2OCR
iTex2Img
iWeb2Print
iWeb2Shot
i2Type
iPdf2Split
iPdf2Merge
i2Bopomofo
i2Arabic
i2Style
i2Image
i2PDF
iLatex2Rtf
Sci2ools
RAID
2007
Springer
2007
Springer
Emulation-Based Detection of Non-self-contained Polymorphic Shellcode
Network-level emulation has recently been proposed as a method for the accurate detection of previously unknown polymorphic code injection attacks. In this paper, we extend network-level emulation along two lines. First, we present an improved execution behavior heuristic that enables the detection of a certain class of non-self-contained polymorphic shellcodes that are currently missed by existing emulation-based approaches. Second, we present two generic algorithmic optimizations that improve the runtime performance of the detector. We have implemented a prototype of the proposed technique and evaluated it using off-the-shelf non-self-contained polymorphic shellcode engines and benign data. The detector achieves a modest processing throughput, which however is enough for decent runtime performance on actual deployments, while it has not produced any false positives. Finally, we report attack activity statistics from a seven-month deployment of our prototype in a production network, w...
Real-time TrafficNetwork-level Emulation | Non-self-contained Polymorphic Shellcode | RAID 2007 | Unknown Polymorphic Code |
| Added | 09 Jun 2010 |
| Updated | 09 Jun 2010 |
| Type | Conference |
| Year | 2007 |
| Where | RAID |
| Authors | Michalis Polychronakis, Kostas G. Anagnostakis, Evangelos P. Markatos |
Comments (0)
Researcher Info
|
