Network-level polymorphic shellcode detection using emulation

Polychronakis, Michalis; Anagnostakis, Kostas G.; Markatos, Evangelos P.

doi:10.1007/s11416-006-0031-z

Cited by 60 publications

(146 citation statements)

References 31 publications

(41 reference statements)

Supporting

Mentioning

144

Contrasting

Order By: Relevance

“…We currently use a value of 32 bytes as the threshold for the minimal length of a shellcode sequence. We found that this value works well in our experiments, and it is also significantly shorter than all Windows shellcode encountered in the wild [26].…”

Section: Checking Strings For Shellcodesupporting

confidence: 62%

“…More precisely, their prototype implementation identifies long valid sequences of instructions in HTTP requests, thus detecting the NOP sledge that commonly accompanies shellcode. Continuing this work, Polychronakis et al [24,26] proposed to apply lightweight emulation on network data to identify polymorphic shellcode. This approach relies on the so-called GetPC heuristic.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Egele¹,

Wurzinger²,

Kruegel

et al. 2009

Lecture Notes in Computer Science

118

View full text Add to dashboard Cite

Abstract. Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a victim's computer. Compromised machines are then used to carry out various malicious activities, such as joining botnets, sending spam emails, or participating in distributed denial of service attacks. To counter drive-by downloads, we propose a technique that relies on x86 instruction emulation to identify JavaScript string buffers that contain shellcode. Our detection is integrated into the browser, and performed before control is transfered to the shellcode, thus, effectively thwarting the attack. The solution maintains fair performance by avoiding unnecessary invocations of the emulator, while ensuring that every buffer with potential shellcode is checked. We have implemented a prototype of our system, and evaluated it over thousands of malicious and legitimate web sites. Our results demonstrate that the system performs accurate detection with no false positives.

show abstract

Section: Checking Strings For Shellcodesupporting

confidence: 62%

Section: Related Workmentioning

confidence: 99%

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Egele¹,

Wurzinger²,

Kruegel

et al. 2009

Lecture Notes in Computer Science

118

View full text Add to dashboard Cite

show abstract

“…In the past few years, many detection approaches [1], [3], [4], [6], [9] have been proposed. Basically, these methods can be divided into two categories: static analysis [3], [4] and dynamic analysis [1], [6], [9].…”

Section: Introductionmentioning

confidence: 99%

“…Basically, these methods can be divided into two categories: static analysis [3], [4] and dynamic analysis [1], [6], [9]. The core idea of static analysis is to disassemble the network stream and then analyze the code-level patterns that could be signatures obtained from existing shellcode.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Efficient Shellcode Detection on Commodity Hardware

Tian

Chen

et al. 2013

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYAs more and more software vulnerabilities are exposed, shellcode has become very popular in recent years. It is widely used by attackers to exploit vulnerabilities and then hijack program's execution. Previous solutions suffer from limitations in that: 1) Some methods based on static analysis may fail to detect the shellcode using obfuscation techniques. 2) Other methods based on dynamic analysis could impose considerable performance overhead. In this paper, we propose Lemo, an efficient shellcode detection system. Our system is compatible with commodity hardware and operating systems, which enables deployment. To improve the performance of our system, we make use of the multi-core technology. The experiments show that our system can detect shellcode efficiently.

show abstract

On Emulation-Based Network Intrusion Detection Systems

Abbasi

Wetzels

Bokslag

et al. 2014

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode. In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

show abstract

Network-level polymorphic shellcode detection using emulation

Cited by 60 publications

References 31 publications

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks

Efficient Shellcode Detection on Commodity Hardware

On Emulation-Based Network Intrusion Detection Systems

Contact Info

Product

Resources

About