APTs way: Evading Your EBNIDS

Ali Abbasi; Jos Wetzel

APTs way: Evading Your EBNIDS

Ali Abbasi, Jos Wetzel

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

131 Downloads (Pure)

Abstract

APTs and government-supported attackers use a broad arsenal of techniques to avoid having their exploits detected by IDSes. Signature Based IDSes are not efficient against nation-state-sponsored attackers which use custom shellcode encoders in an exploit. Emulation Based NIDSes (EBNIDS) have been proposed as a solution to mitigate such attacks. EBNISes detect a suspicious network stream (pre-processing) and after converting them to emulate-able byte sequences run it in an instrumented environment (Emulation), finally matching the behavior with certain heuristics (Heuristics Detection). In this talk, we will present novel ways that an APT might use to circumvente the Pre-Processing, Emulation and Heuristic Detection steps of EBNIDSes by employing a wide range of evasion techniques.

Original language	Undefined
Title of host publication	Black Hat Europe
Place of Publication	Amsterdam
Publisher	Black Hat
Pages	1-87
Number of pages	87
ISBN (Print)	not assigned
Publication status	Published - 16 Oct 2014
Event	Black Hat Europe - Amsterdam, The Netherlands Duration: 16 Oct 2014 → 19 Oct 2014

Publication series

Name
Publisher	Black Hat

Conference

Conference	Black Hat Europe
Period	16/10/14 → 19/10/14
Other	16-19 October 2014

Keywords

Intrusion Detection
SCS-Cybersecurity
EWI-25188
METIS-309612
Evasion
APT
IR-92538

Access to Document

http://blackhat.com/eu-14/briefings.html#apts-way-evading-your-ebnids

Cite this

@inproceedings{0a88288a21c44c2fb9171aceb4366499,

title = "APTs way: Evading Your EBNIDS",

abstract = "APTs and government-supported attackers use a broad arsenal of techniques to avoid having their exploits detected by IDSes. Signature Based IDSes are not efficient against nation-state-sponsored attackers which use custom shellcode encoders in an exploit. Emulation Based NIDSes (EBNIDS) have been proposed as a solution to mitigate such attacks. EBNISes detect a suspicious network stream (pre-processing) and after converting them to emulate-able byte sequences run it in an instrumented environment (Emulation), finally matching the behavior with certain heuristics (Heuristics Detection). In this talk, we will present novel ways that an APT might use to circumvente the Pre-Processing, Emulation and Heuristic Detection steps of EBNIDSes by employing a wide range of evasion techniques.",

keywords = "Intrusion Detection, SCS-Cybersecurity, EWI-25188, METIS-309612, Evasion, APT, IR-92538",

author = "Ali Abbasi and Jos Wetzel",

note = "eemcs-eprint-25188 ; Black Hat Europe ; Conference date: 16-10-2014 Through 19-10-2014",

year = "2014",

month = oct,

day = "16",

language = "Undefined",

isbn = "not assigned",

publisher = "Black Hat",

pages = "1--87",

booktitle = "Black Hat Europe",

}

TY - GEN

T1 - APTs way: Evading Your EBNIDS

AU - Abbasi, Ali

AU - Wetzel, Jos

N1 - eemcs-eprint-25188

PY - 2014/10/16

Y1 - 2014/10/16

N2 - APTs and government-supported attackers use a broad arsenal of techniques to avoid having their exploits detected by IDSes. Signature Based IDSes are not efficient against nation-state-sponsored attackers which use custom shellcode encoders in an exploit. Emulation Based NIDSes (EBNIDS) have been proposed as a solution to mitigate such attacks. EBNISes detect a suspicious network stream (pre-processing) and after converting them to emulate-able byte sequences run it in an instrumented environment (Emulation), finally matching the behavior with certain heuristics (Heuristics Detection). In this talk, we will present novel ways that an APT might use to circumvente the Pre-Processing, Emulation and Heuristic Detection steps of EBNIDSes by employing a wide range of evasion techniques.

AB - APTs and government-supported attackers use a broad arsenal of techniques to avoid having their exploits detected by IDSes. Signature Based IDSes are not efficient against nation-state-sponsored attackers which use custom shellcode encoders in an exploit. Emulation Based NIDSes (EBNIDS) have been proposed as a solution to mitigate such attacks. EBNISes detect a suspicious network stream (pre-processing) and after converting them to emulate-able byte sequences run it in an instrumented environment (Emulation), finally matching the behavior with certain heuristics (Heuristics Detection). In this talk, we will present novel ways that an APT might use to circumvente the Pre-Processing, Emulation and Heuristic Detection steps of EBNIDSes by employing a wide range of evasion techniques.

KW - Intrusion Detection

KW - SCS-Cybersecurity

KW - EWI-25188

KW - METIS-309612

KW - Evasion

KW - APT

KW - IR-92538

M3 - Conference contribution

SN - not assigned

SP - 1

EP - 87

BT - Black Hat Europe

PB - Black Hat

CY - Amsterdam

T2 - Black Hat Europe

Y2 - 16 October 2014 through 19 October 2014

ER -