Abstract
As state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to evade detection. Although recent results have been promising, most existing proposals can be defeated using only minor enhancements to the attack vector. We present a heuristic detection method that scans network traffic streams for the presence of polymorphic shellcode. Our approach relies on a NIDS-embedded CPU emulator that executes every potential instruction sequence, aiming to identify the execution behavior of polymorphic shellcodes. Our analysis demonstrates that the proposed approach is more robust to obfuscation techniques like self-modifications compared to previous proposals, but also highlights advanced evasion techniques that need to be more closely examined towards a satisfactory solution to the polymorphic shellcode detection problem. © Springer-Verlag Berlin Heidelberg 2006.
Cite
CITATION STYLE
Polychronakis, M., Anagnostakis, K. G., & Markatos, E. P. (2006). Network-level polymorphic shellcode detection using emulation. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4064 LNCS, pp. 54–73). Springer Verlag. https://doi.org/10.1007/11790754_4
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
