In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
4th International Annual Workshop on Digital Forensics & Incident Analysis (WDFIA 2009)
Title: Real-world Detection of Polymorphic Attacks
Author(s): Michalis Polychronakis, Kostas Anagnostakis, Evangelos Markatos
Keywords: Polymorphism, intrusion detection, code emulation
Abstract: As state-of-the-art attack detection technology becomes more prevalent, attackers have started
to employ evasion techniques such as code obfuscation and polymorphism to defeat existing
defenses. We have recently proposed network-level emulation, a heuristic detection method
that scans network traffic to detect polymorphic attacks. Our approach uses a CPU emulator to
dynamically analyze every potential instruction sequence in the inspected traffic, aiming to
identify the execution behavior of certain malicious code classes, such as self-decrypting
polymorphic shellcode. In this paper, we present results and experiences from deployments of
network-level emulation in production networks. After more than a year of continuous
operation, our prototype implementation has captured more than a million attacks against real
systems, while so far has not resulted to any false positives. The observed attacks employ a
highly diverse set of exploits, often against less widely used vulnerable services, and in some
cases, sophisticated obfuscation schemes.
Download count: 1625
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.