research-article

Real-world polymorphic attack detection using network-level emulation

Authors:

Evangelos P. MarkatosAuthors Info & Claims

CSIIRW '08: Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead

Article No.: 21, Pages 1 - 3

https://doi.org/10.1145/1413140.1413164

Published: 12 May 2008 Publication History

Get Access

Abstract

As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ techniques such as code obfuscation and polymorphism to defeat these defenses. We have recently proposed network-level emulation, a heuristic detection method that scans network traffic to detect polymorphic attacks. Our approach uses a CPU emulator to dynamically analyze every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of certain malicious code classes, such as self-decrypting polymorphic shellcode.

Network-level emulation does not rely on any exploit or vulnerability specific signatures, which allows the detection of previously unknown attacks, while the actual execution of the attack code makes the detector robust to evasion techniques such as self-modifying code. After more than a year of continuous operation in production networks, our prototype implementation has captured more than a million attacks against real systems, employing a highly diverse set of exploits, often against less widely used vulnerable services, while so far has not resulted to any false positives.

Supplementary Material

Related slides. (a21-polychronakis-slides.pdf)

Slide presentation for "Real-world polymorphic attack detection using network-level emulation"

Download
2.23 MB

References

[1]

LOBSTER Project. http://www.ist-lobster.org/.

Google Scholar

[2]

D. Antoniades, M. Polychronakis, A. Papadogiannakis, P. Trimintzios, S. Ubik, V. Smotlacha, A. Øslebø, and E. P. Markatos. LOBSTER: A european platform for passive network traffic monitoring. In Proceedings of the 4th International Conference on Testbeds and Research Infrastructures for the Development of Networks & Communities (TRIDENTCOM), March 2008.

Digital Library

Google Scholar

[3]

M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Network-level polymorphic shellcode detection using emulation. In Proceedings of the Third Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2006.

Digital Library

Google Scholar

[4]

M. Polychronakis, E. P. Markatos, and K. G. Anagnostakis. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2007.

Digital Library

Google Scholar

[5]

N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadug. The Ghost In The Browser: Analysis of Web-based Malware. In Proceedings of the First Workshop on Hot Topics in Understanding Botnets (HotBots), 2007.

Digital Library

Google Scholar

[6]

V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: global characteristics and prevalence. In Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, 2003.

Digital Library

Google Scholar

Cited By

View all

Song CPons AYen K(2018)AA-HMM: An Anti-Adversarial Hidden Markov Model for Network-Based Intrusion DetectionApplied Sciences10.3390/app81224218:12(2421)Online publication date: 28-Nov-2018
https://doi.org/10.3390/app8122421
CHOI YKIM HLEE D(2012)Detecting Heap-Spraying Code Injection Attacks in Malicious Web Pages Using Runtime ExecutionIEICE Transactions on Communications10.1587/transcom.E95.B.1711E95.B:5(1711-1721)Online publication date: 2012
https://doi.org/10.1587/transcom.E95.B.1711

Index Terms

Real-world polymorphic attack detection using network-level emulation
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

On the infeasibility of modeling polymorphic shellcode

Current trends demonstrate an increasing use of polymorphism by attackers to disguise their exploits. The ability for malicious code to be easily, and automatically, transformed into semantically equivalent variants frustrates attempts to construct ...
Network–Level polymorphic shellcode detection using emulation
DIMVA'06: Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment

As state–of–the–art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to evade detection. Although recent results have been promising, most existing proposals ...
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09: Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a ...

Comments

Information & Contributors

Information

Published In

May 2008

470 pages

ISBN:9781605580982

DOI:10.1145/1413140

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 May 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CSIIRW '08

CSIIRW '08: Cyber Security and Information Intelligence Research Workshop

May 12 - 14, 2008

Tennessee, Oak Ridge, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
359
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Song CPons AYen K(2018)AA-HMM: An Anti-Adversarial Hidden Markov Model for Network-Based Intrusion DetectionApplied Sciences10.3390/app81224218:12(2421)Online publication date: 28-Nov-2018
https://doi.org/10.3390/app8122421
CHOI YKIM HLEE D(2012)Detecting Heap-Spraying Code Injection Attacks in Malicious Web Pages Using Runtime ExecutionIEICE Transactions on Communications10.1587/transcom.E95.B.1711E95.B:5(1711-1721)Online publication date: 2012
https://doi.org/10.1587/transcom.E95.B.1711

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

On the infeasibility of modeling polymorphic shellcode

Network–Level polymorphic shellcode detection using emulation

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks