On Emulation-Based Network Intrusion Detection Systems
Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-base...
Saved in:
Published in | Research in Attacks, Intrusions and Defenses pp. 384 - 404 |
---|---|
Main Authors | , , , , |
Format | Book Chapter |
Language | English |
Published |
Cham
Springer International Publishing
|
Series | Lecture Notes in Computer Science |
Subjects | |
Online Access | Get full text |
Cover
Loading…
Abstract | Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode. In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms. |
---|---|
AbstractList | Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode. In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms. |
Author | Zambon, Emmanuele Abbasi, Ali Wetzels, Jos Etalle, Sandro Bokslag, Wouter |
Author_xml | – sequence: 1 givenname: Ali surname: Abbasi fullname: Abbasi, Ali email: a.abbasi@utwente.nl organization: Services, Cyber security and Safety Group, University of Twente, The Netherlands – sequence: 2 givenname: Jos surname: Wetzels fullname: Wetzels, Jos email: a.l.g.m.wetzels@student.utwente.nl organization: Eindhoven University of Technology, The Netherlands – sequence: 3 givenname: Wouter surname: Bokslag fullname: Bokslag, Wouter email: w.bokslag@student.tue.nl organization: Eindhoven University of Technology, The Netherlands – sequence: 4 givenname: Emmanuele surname: Zambon fullname: Zambon, Emmanuele email: emmanuele.zambon@secmatters.com organization: SecurityMatters BV, The Netherlands – sequence: 5 givenname: Sandro surname: Etalle fullname: Etalle, Sandro email: s.etalle@tue.nl organization: Eindhoven University of Technology, The Netherlands |
BookMark | eNpVkMFOwzAMhgMMiTL6Bhz6AgE7TpvkCGPApIkdgHOU0gSNbS1qOiHennRw4WJbny3793_OJm3XesYuEa4QQF0bpTlxQsMRSaVo0RyxPGFK8MDwmGVYIXIiaU7-9bScsAwIBDdK0hnLY_wAACTSWkLGqlVbzHf7rRvWXctvXfRN8eSHr67fFIt26Pcx8eLOD_5tnCiev-Pgd_GCnQa3jT7_y1P2ej9_mT3y5ephMbtZ8piOGy7K0tRBN7UDSiU0SaTydVMGoBAEQpNEGDKuFLISShoNXoBG4XQVsESaMvG7N3726_bd97buuk20CHY0x6ZPLdn0qz0YYUdz6Ad5oFIE |
ContentType | Book Chapter |
Copyright | Springer International Publishing Switzerland 2014 |
Copyright_xml | – notice: Springer International Publishing Switzerland 2014 |
DOI | 10.1007/978-3-319-11379-1_19 |
DatabaseTitleList | |
DeliveryMethod | fulltext_linktorsrc |
Discipline | Computer Science |
EISBN | 9783319113791 3319113798 |
EISSN | 1611-3349 |
Editor | Stavrou, Angelos Portokalidis, Georgios Bos, Herbert |
Editor_xml | – sequence: 1 givenname: Angelos surname: Stavrou fullname: Stavrou, Angelos email: astavrou@gmu.edu – sequence: 2 givenname: Herbert surname: Bos fullname: Bos, Herbert email: herbertb@cs.vu.nl – sequence: 3 givenname: Georgios surname: Portokalidis fullname: Portokalidis, Georgios email: gportoka@stevens.edu |
EndPage | 404 |
GroupedDBID | -DT -GH -~X 1SB 29L 2HA 2HV 5QI 875 AASHB ABMNI ACGFS ADCXD AEFIE ALMA_UNASSIGNED_HOLDINGS EJD F5P FEDTE HVGLF LAS LDH P2P RIG RNI RSU SVGTG VI1 ~02 |
ID | FETCH-LOGICAL-s1139-2559bf8dba035590d6117ebd5f03ff210d840939a5246274980e20812a86f1513 |
ISBN | 9783319113784 331911378X |
ISSN | 0302-9743 |
IngestDate | Tue Oct 01 18:33:36 EDT 2024 |
IsPeerReviewed | true |
IsScholarly | true |
Language | English |
LinkModel | OpenURL |
MergedId | FETCHMERGED-LOGICAL-s1139-2559bf8dba035590d6117ebd5f03ff210d840939a5246274980e20812a86f1513 |
PageCount | 21 |
ParticipantIDs | springer_books_10_1007_978_3_319_11379_1_19 |
PublicationPlace | Cham |
PublicationPlace_xml | – name: Cham |
PublicationSeriesTitle | Lecture Notes in Computer Science |
PublicationSubtitle | 17th International Symposium, RAID 2014, Gothenburg, Sweden, September 17-19, 2014. Proceedings |
PublicationTitle | Research in Attacks, Intrusions and Defenses |
Publisher | Springer International Publishing |
Publisher_xml | – name: Springer International Publishing |
RelatedPersons | Kleinberg, Jon M. Mattern, Friedemann Nierstrasz, Oscar Steffen, Bernhard Kittler, Josef Weikum, Gerhard Naor, Moni Mitchell, John C. Terzopoulos, Demetri Kobsa, Alfred Pandu Rangan, C. Kanade, Takeo Hutchison, David Tygar, Doug |
RelatedPersons_xml | – sequence: 1 givenname: David surname: Hutchison fullname: Hutchison, David organization: Lancaster University, Lancaster, UK – sequence: 2 givenname: Takeo surname: Kanade fullname: Kanade, Takeo organization: Carnegie Mellon University, Pittsburgh, USA – sequence: 3 givenname: Josef surname: Kittler fullname: Kittler, Josef organization: University of Surrey, Guildford, UK – sequence: 4 givenname: Jon M. surname: Kleinberg fullname: Kleinberg, Jon M. organization: Cornell University, Ithaca, USA – sequence: 5 givenname: Alfred surname: Kobsa fullname: Kobsa, Alfred organization: University of California, Irvine, USA – sequence: 6 givenname: Friedemann surname: Mattern fullname: Mattern, Friedemann organization: ETH Zurich, Zurich, Switzerland – sequence: 7 givenname: John C. surname: Mitchell fullname: Mitchell, John C. organization: Stanford University, Stanford, USA – sequence: 8 givenname: Moni surname: Naor fullname: Naor, Moni organization: Weizmann Institute of Science, Rehovot, Israel – sequence: 9 givenname: Oscar surname: Nierstrasz fullname: Nierstrasz, Oscar organization: University of Bern, Bern, Switzerland – sequence: 10 givenname: C. surname: Pandu Rangan fullname: Pandu Rangan, C. organization: Indian Institute of Technology, Madras, India – sequence: 11 givenname: Bernhard surname: Steffen fullname: Steffen, Bernhard organization: TU Dortmund University, Dortmund, Germany – sequence: 12 givenname: Demetri surname: Terzopoulos fullname: Terzopoulos, Demetri organization: University of California, Los Angeles, USA – sequence: 13 givenname: Doug surname: Tygar fullname: Tygar, Doug organization: University of California, Berkeley, USA – sequence: 14 givenname: Gerhard surname: Weikum fullname: Weikum, Gerhard organization: Max-Planck Institute of Computer Science, Saarbrücken, Germany |
SSID | ssj0001338840 ssj0002792 |
Score | 1.8528974 |
Snippet | Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of)... |
SourceID | springer |
SourceType | Publisher |
StartPage | 384 |
SubjectTerms | Emulation Evasion IDS Polymorphism Shellcode |
Title | On Emulation-Based Network Intrusion Detection Systems |
URI | http://link.springer.com/10.1007/978-3-319-11379-1_19 |
hasFullText | 1 |
inHoldings | 1 |
isFullTextHit | |
isPrint | |
link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwnV07T8MwELYKbAy8BQhQBrYqKImTNBkYAIEQgrJQqFgiu7ElhJoOTRf483wXO03assBiRVab2HfJvXzfHWPnQsUjP9LK1bnUbii176aBTFzl56HgesRHMeGdn_rx_SB8GEbDTue7jS4p5cXo61dcyX-4ijnwlVCyf-Ds_KaYwDX4ixEcxrhk_C6GWW2J2FbEoiwJK28-eIJRVOltJstYw1FtEgWvJPTWh4G2fDTHMuUXdKQ9EZh76JNPvC-VKHibzFppvO9iLG0LkPFYFDO1-OY9F5i3XcHca2jJnGDFlADWLA7rKpXpUt6umU5UU9PLR3uw0Z-UVb5Yt-49UYuilbjkUmSzCa4tOLIcksD3ec-0i6sBXRDWcHeM_FNGPsdUdZGbKqdW5nL7J6O-Q9PNeEUztJNBCLhFT8OYUcnYtV4Kgbhxdfvw-NoE6OC8V4VwrFqnSovmSMqsioBC9aptKadmFy2Q5m-PXDl2r6yZl222SQgXh6AnINoO66hil23VNHYsjfdY_Fw4S5x0LCedOSedOScdy8l9Nri7fbm5d22fDXeKJaUueZVSJ7kUHqzP1MtB5J6SeaQ9rnXgezlFAXgqoiCkVk1p4qkApmQgkljDYuQHbL2YFOqQOVGeKNhCqUjjXhgJLmMhPSVglMsggLA4Yt164xl9OdOsLpsNMmU8A5myikwZken4T78-YevYuTqFkVjKM8vOH8vIYgc |
link.rule.ids | 785,786,790,799,27956 |
linkProvider | Library Specific Holdings |
openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=bookitem&rft.title=Research+in+Attacks%2C+Intrusions+and+Defenses&rft.au=Abbasi%2C+Ali&rft.au=Wetzels%2C+Jos&rft.au=Bokslag%2C+Wouter&rft.au=Zambon%2C+Emmanuele&rft.atitle=On+Emulation-Based+Network+Intrusion+Detection+Systems&rft.series=Lecture+Notes+in+Computer+Science&rft.pub=Springer+International+Publishing&rft.isbn=9783319113784&rft.issn=0302-9743&rft.eissn=1611-3349&rft.spage=384&rft.epage=404&rft_id=info:doi/10.1007%2F978-3-319-11379-1_19 |
thumbnail_l | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=0302-9743&client=summon |
thumbnail_m | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=0302-9743&client=summon |
thumbnail_s | http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=0302-9743&client=summon |