On emulation-based network intrusion detection systems

A. Abbasi, J. Wetzels, W. Bokslag, E. Zambon, S. Etalle

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

10 Citaten (Scopus)

Samenvatting

Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode. In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms. Keywords: Emulation; IDS; Shellcode; Evasion; Polymorphism
Originele taal-2Engels
TitelResearch in Attacks, Intrusions and Defenses (17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings)
RedacteurenA. Stavrou, H. Bos, G. Portokalidis
Plaats van productieBerlin
UitgeverijSpringer
Pagina's384-404
ISBN van geprinte versie978-3-319-11378-4
DOI's
StatusGepubliceerd - 2014
Evenementconference; 17th International Symposium on Research in Attacks, Intrusions and Defenses; 2014-09-17; 2014-09-19 -
Duur: 17 sep 201419 sep 2014

Publicatie series

NaamLecture Notes in Computer Science
Volume8688
ISSN van geprinte versie0302-9743

Congres

Congresconference; 17th International Symposium on Research in Attacks, Intrusions and Defenses; 2014-09-17; 2014-09-19
Periode17/09/1419/09/14
Ander17th International Symposium on Research in Attacks, Intrusions and Defenses

Vingerafdruk Duik in de onderzoeksthema's van 'On emulation-based network intrusion detection systems'. Samen vormen ze een unieke vingerafdruk.

  • Citeer dit

    Abbasi, A., Wetzels, J., Bokslag, W., Zambon, E., & Etalle, S. (2014). On emulation-based network intrusion detection systems. In A. Stavrou, H. Bos, & G. Portokalidis (editors), Research in Attacks, Intrusions and Defenses (17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings) (blz. 384-404). (Lecture Notes in Computer Science; Vol. 8688). Springer. https://doi.org/10.1007/978-3-319-11379-1_19