Sciweavers

DIMVA
2006

Network-Level Polymorphic Shellcode Detection Using Emulation

14 years 1 months ago
Network-Level Polymorphic Shellcode Detection Using Emulation
Abstract. As state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to evade detection. Although recent results have been promising, most existing proposals can be defeated using only minor enhancements to the attack vector. We present a heuristic detection method that scans network traffic streams for the presence of polymorphic shellcode. Our approach relies on a NIDS-embedded CPU emulator that executes every potential instruction sequence, aiming to identify the execution behavior of polymorphic shellcodes. Our analysis demonstrates that the proposed approach is more robust to obfuscation techniques like self-modifications compared to previous proposals, but also highlights advanced evasion techniques that need to be more closely examined towards a satisfactory solution to the polymorphic shellcode detection problem.
Michalis Polychronakis, Kostas G. Anagnostakis, Ev
Added 30 Oct 2010
Updated 30 Oct 2010
Type Conference
Year 2006
Where DIMVA
Authors Michalis Polychronakis, Kostas G. Anagnostakis, Evangelos P. Markatos
Comments (0)