On Emulation-Based Network Intrusion Detection Systems

  • Ali Abbasi
  • Jos Wetzels
  • Wouter Bokslag
  • Emmanuele Zambon
  • Sandro Etalle
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8688)

Abstract

Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode. In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

Keywords

Emulation IDS Shellcode Evasion Polymorphism 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Ali Abbasi
    • 1
  • Jos Wetzels
    • 1
    • 2
  • Wouter Bokslag
    • 2
  • Emmanuele Zambon
    • 1
    • 3
  • Sandro Etalle
    • 1
    • 2
  1. 1.Services, Cyber security and Safety GroupUniversity of TwenteThe Netherlands
  2. 2.Eindhoven University of TechnologyThe Netherlands
  3. 3.SecurityMatters BVThe Netherlands

Personalised recommendations