On Emulation-Based Network Intrusion Detection Systems

Ali Abbasi; Jos Wetzel; Wouter Bokslag; Emmanuele Zambon; Sandro Etalle

doi:10.1007/978-3-319-11379-1_19

On Emulation-Based Network Intrusion Detection Systems

Ali Abbasi, Jos Wetzel, Wouter Bokslag, Emmanuele Zambon, Sandro Etalle

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

15 Citations (Scopus)

25 Downloads (Pure)

Abstract

Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an in- strumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., en- crypted) shellcode. In this paper we investigate and test the actual effec- tiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, ex- ploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

Original language	Undefined
Title of host publication	Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
Place of Publication	Switzerland
Publisher	Springer
Pages	384-404
Number of pages	21
ISBN (Print)	978-3-319-11379-1
DOIs	https://doi.org/10.1007/978-3-319-11379-1_19
Publication status	Published - 18 Sept 2014
Event	17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID) - Gothenburg, Sweden Duration: 17 Sept 2014 → 19 Sept 2014

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	8688
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
Period	17/09/14 → 19/09/14
Other	17-19 September 2014

Keywords

SCS-Cybersecurity
EC Grant Agreement nr.: FP7/607093
EWI-24965
Emulation
METIS-305975
Polymorphism
IR-91773
Evasion
IDS
Shellcode

Access to Document

10.1007/978-3-319-11379-1_19

http://eprints.eemcs.utwente.nl/secure2/24965/01/86880384.pdf

Cite this

@inproceedings{6792832d67ff4665950aab13566e7be1,

title = "On Emulation-Based Network Intrusion Detection Systems",

abstract = "Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an in- strumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., en- crypted) shellcode. In this paper we investigate and test the actual effec- tiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, ex- ploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.",

keywords = "SCS-Cybersecurity, EC Grant Agreement nr.: FP7/607093, EWI-24965, Emulation, METIS-305975, Polymorphism, IR-91773, Evasion, IDS, Shellcode",

author = "Ali Abbasi and Jos Wetzel and Wouter Bokslag and Emmanuele Zambon and Sandro Etalle",

note = "eemcs-eprint-24965 ; 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID) ; Conference date: 17-09-2014 Through 19-09-2014",

year = "2014",

month = sep,

day = "18",

doi = "10.1007/978-3-319-11379-1\_19",

language = "Undefined",

isbn = "978-3-319-11379-1",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "384--404",

booktitle = "Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)",

address = "Germany",

}

Abbasi, A, Wetzel, J, Bokslag, W, Zambon, E & Etalle, S 2014, On Emulation-Based Network Intrusion Detection Systems. in Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Lecture Notes in Computer Science, vol. 8688, Springer, Switzerland, pp. 384-404, 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 17/09/14. https://doi.org/10.1007/978-3-319-11379-1_19

On Emulation-Based Network Intrusion Detection Systems. / Abbasi, Ali; Wetzel, Jos; Bokslag, Wouter et al.
Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID). Switzerland: Springer, 2014. p. 384-404 (Lecture Notes in Computer Science; Vol. 8688).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - On Emulation-Based Network Intrusion Detection Systems

AU - Abbasi, Ali

AU - Wetzel, Jos

AU - Bokslag, Wouter

AU - Zambon, Emmanuele

AU - Etalle, Sandro

N1 - eemcs-eprint-24965

PY - 2014/9/18

Y1 - 2014/9/18

N2 - Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an in- strumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., en- crypted) shellcode. In this paper we investigate and test the actual effec- tiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, ex- ploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

AB - Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an in- strumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., en- crypted) shellcode. In this paper we investigate and test the actual effec- tiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, ex- ploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

KW - SCS-Cybersecurity

KW - EC Grant Agreement nr.: FP7/607093

KW - EWI-24965

KW - Emulation

KW - METIS-305975

KW - Polymorphism

KW - IR-91773

KW - Evasion

KW - IDS

KW - Shellcode

U2 - 10.1007/978-3-319-11379-1_19

DO - 10.1007/978-3-319-11379-1_19

M3 - Conference contribution

SN - 978-3-319-11379-1

T3 - Lecture Notes in Computer Science

SP - 384

EP - 404

BT - Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)

PB - Springer

CY - Switzerland

T2 - 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)

Y2 - 17 September 2014 through 19 September 2014

ER -