Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an in- strumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., en- crypted) shellcode. In this paper we investigate and test the actual effec- tiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, ex- ploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.
|Name||Lecture Notes in Computer Science|
|Conference||17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)|
|Period||17/09/14 → 19/09/14|
|Other||17-19 September 2014|
- EC Grant Agreement nr.: FP7/607093