On Emulation-Based Network Intrusion Detection Systems

Ali Abbasi, Jos Wetzel, Wouter Bokslag, Emmanuele Zambon, Sandro Etalle

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    11 Citations (Scopus)

    Abstract

    Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an in- strumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., en- crypted) shellcode. In this paper we investigate and test the actual effec- tiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, ex- ploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.
    Original languageUndefined
    Title of host publicationProceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
    Place of PublicationSwitzerland
    PublisherSpringer
    Pages384-404
    Number of pages21
    ISBN (Print)978-3-319-11379-1
    DOIs
    Publication statusPublished - 18 Sep 2014
    Event17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID) - Gothenburg, Sweden
    Duration: 17 Sep 201419 Sep 2014

    Publication series

    NameLecture Notes in Computer Science
    PublisherSpringer
    Volume8688
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Conference

    Conference17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
    Period17/09/1419/09/14
    Other17-19 September 2014

    Keywords

    • SCS-Cybersecurity
    • EC Grant Agreement nr.: FP7/607093
    • EWI-24965
    • Emulation
    • METIS-305975
    • Polymorphism
    • IR-91773
    • Evasion
    • IDS
    • Shellcode

    Cite this