APTs way: Evading Your EBNIDS

Ali Abbasi, Jos Wetzel

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    151 Downloads (Pure)


    APTs and government-supported attackers use a broad arsenal of techniques to avoid having their exploits detected by IDSes. Signature Based IDSes are not efficient against nation-state-sponsored attackers which use custom shellcode encoders in an exploit. Emulation Based NIDSes (EBNIDS) have been proposed as a solution to mitigate such attacks. EBNISes detect a suspicious network stream (pre-processing) and after converting them to emulate-able byte sequences run it in an instrumented environment (Emulation), finally matching the behavior with certain heuristics (Heuristics Detection). In this talk, we will present novel ways that an APT might use to circumvente the Pre-Processing, Emulation and Heuristic Detection steps of EBNIDSes by employing a wide range of evasion techniques.
    Original languageUndefined
    Title of host publicationBlack Hat Europe
    Place of PublicationAmsterdam
    PublisherBlack Hat
    Number of pages87
    ISBN (Print)not assigned
    Publication statusPublished - 16 Oct 2014
    EventBlack Hat Europe - Amsterdam, The Netherlands
    Duration: 16 Oct 201419 Oct 2014

    Publication series

    PublisherBlack Hat


    ConferenceBlack Hat Europe
    Other16-19 October 2014


    • Intrusion Detection
    • SCS-Cybersecurity
    • EWI-25188
    • METIS-309612
    • Evasion
    • APT
    • IR-92538

    Cite this