On emulation-based network intrusion detection systems

A. Abbasi, J. Wetzels, W. Bokslag, E. Zambon, S. Etalle

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

10 Citations (Scopus)

Abstract

Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode. In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms. Keywords: Emulation; IDS; Shellcode; Evasion; Polymorphism
Original languageEnglish
Title of host publicationResearch in Attacks, Intrusions and Defenses (17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings)
EditorsA. Stavrou, H. Bos, G. Portokalidis
Place of PublicationBerlin
PublisherSpringer
Pages384-404
ISBN (Print)978-3-319-11378-4
DOIs
Publication statusPublished - 2014
Eventconference; 17th International Symposium on Research in Attacks, Intrusions and Defenses; 2014-09-17; 2014-09-19 -
Duration: 17 Sep 201419 Sep 2014

Publication series

NameLecture Notes in Computer Science
Volume8688
ISSN (Print)0302-9743

Conference

Conferenceconference; 17th International Symposium on Research in Attacks, Intrusions and Defenses; 2014-09-17; 2014-09-19
Period17/09/1419/09/14
Other17th International Symposium on Research in Attacks, Intrusions and Defenses

Fingerprint Dive into the research topics of 'On emulation-based network intrusion detection systems'. Together they form a unique fingerprint.

  • Cite this

    Abbasi, A., Wetzels, J., Bokslag, W., Zambon, E., & Etalle, S. (2014). On emulation-based network intrusion detection systems. In A. Stavrou, H. Bos, & G. Portokalidis (Eds.), Research in Attacks, Intrusions and Defenses (17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings) (pp. 384-404). (Lecture Notes in Computer Science; Vol. 8688). Springer. https://doi.org/10.1007/978-3-319-11379-1_19