TY - GEN
T1 - Real-world polymorphic attack detection using network-level emulation
AU - Polychronakis, Michalis
AU - Anagnostakis, Kostas G.
AU - Markatos, Evangelos P.
PY - 2008
Y1 - 2008
N2 - As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ techniques such as code obfuscation and polymorphism to defeat these defenses. We have recently proposed network-level emulation, a heuristic detection method that scans network traffic to detect polymorphic attacks. Our approach uses a CPU emulator to dynamically analyze every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of certain malicious code classes, such as self-decrypting polymorphic shellcode. Network-level emulation does not rely on any exploit or vulnerability specific signatures, which allows the detection of previously unknown attacks, while the actual execution of the attack code makes the detector robust to evasion techniques such as self-modifying code. After more than a year of continuous operation in production networks, our prototype implementation has captured more than a million attacks against real systems, employing a highly diverse set of exploits, often against less widely used vulnerable services, while so far has not resulted to any false positives.
AB - As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ techniques such as code obfuscation and polymorphism to defeat these defenses. We have recently proposed network-level emulation, a heuristic detection method that scans network traffic to detect polymorphic attacks. Our approach uses a CPU emulator to dynamically analyze every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of certain malicious code classes, such as self-decrypting polymorphic shellcode. Network-level emulation does not rely on any exploit or vulnerability specific signatures, which allows the detection of previously unknown attacks, while the actual execution of the attack code makes the detector robust to evasion techniques such as self-modifying code. After more than a year of continuous operation in production networks, our prototype implementation has captured more than a million attacks against real systems, employing a highly diverse set of exploits, often against less widely used vulnerable services, while so far has not resulted to any false positives.
KW - Emulation
KW - Intrusion detection
KW - Polymorphism
KW - Shellcode
UR - https://www.scopus.com/pages/publications/62849118281
U2 - 10.1145/1413140.1413164
DO - 10.1145/1413140.1413164
M3 - Conference contribution
AN - SCOPUS:62849118281
SN - 9781605580982
T3 - CSIIRW'08 - 4th Annual Cyber Security and Information Intelligence Research Workshop: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead
BT - CSIIRW'08 - 4th Annual Cyber Security and Information Intelligence Research Workshop
T2 - 4th Annual Cyber Security and Information Intelligence Research Workshop: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead, CSIIRW'08
Y2 - 12 May 2008 through 14 May 2008
ER -