Sciweavers

RAID
2007
Springer

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

14 years 6 months ago
Emulation-Based Detection of Non-self-contained Polymorphic Shellcode
Network-level emulation has recently been proposed as a method for the accurate detection of previously unknown polymorphic code injection attacks. In this paper, we extend network-level emulation along two lines. First, we present an improved execution behavior heuristic that enables the detection of a certain class of non-self-contained polymorphic shellcodes that are currently missed by existing emulation-based approaches. Second, we present two generic algorithmic optimizations that improve the runtime performance of the detector. We have implemented a prototype of the proposed technique and evaluated it using off-the-shelf non-self-contained polymorphic shellcode engines and benign data. The detector achieves a modest processing throughput, which however is enough for decent runtime performance on actual deployments, while it has not produced any false positives. Finally, we report attack activity statistics from a seven-month deployment of our prototype in a production network, w...
Michalis Polychronakis, Kostas G. Anagnostakis, Ev
Added 09 Jun 2010
Updated 09 Jun 2010
Type Conference
Year 2007
Where RAID
Authors Michalis Polychronakis, Kostas G. Anagnostakis, Evangelos P. Markatos
Comments (0)