On the infeasibility of modeling polymorphic shellcode

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2007, Pages 541-551

  Song, Yingbo ^a   Locasto, Michael E ^a   Stavrou, Angelos ^a   Keromytis, Angelos D ^a   Stolfo, Salvatore J ^a  

^a Columbia University ^*  (United States)

Author keywords

Polymorphism; Shellcode; Signature generation; Statistical models

Indexed keywords

CURRENT SIGNATURES; DEFENSE MECHANISM; EMPIRICAL EVIDENCE; MALCODE; ON CURRENTS; POLYMORPHIC BEHAVIOR; PROOF OF CONCEPT; QUANTITATIVE ANALYSIS; SHELLCODE; SIGNATURE GENERATION; STATISTICAL MODELS;

INTRUSION DETECTION; NETWORK SECURITY; PACKET SWITCHING;

POLYMORPHISM;

EID: 41549098765     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1315245.1315312     Document Type: Conference Paper

References (44)

1. ALEPHONE. Smashing the Stack for Fun and Profit. Phrack 7, 49-14 (1996).
2. th USENIX Security Symposium. (August 2005).
3. BARATLOO, A., SINGH, N., and TSAI, T. Transparent Run-Time Defense Against Stack Smashing Attacks. In Proceedings of the USENIX Annual Technical Conference (June 2000).
4. th ACM Conference on Computer and Communications Security (CCS) (October 2003).
5. th USENIX Security Symposium (August 2003), pp. 105-120.
6. BIONDI, P. Shellforge Project, 2006. httpa://www.secdev.org/projects/ shellforge/.
7. BRUMLEY, D., NEWSOME, J., SONG, D., WANG, H., and JHA, S. Towards Automatic Generation of Vulnerability-Based Signatures. In Proceedings of the IEEE Symposium on Security and Privacy (2006).
8. th International Symposium on Recent Advances in Intrusion Detection (RAID) (September 2005), pp. 284-304.
9. COSTA, M., CROWCROFT, J., CASTRO, M., and ROWSTRON, A. Vigilante: End-to-End Containment of Internet Worms. In Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (October 2005).
10. COWAN, C., PU, C., MAIER, D., HINTON, H., WALPOLE, J., BAKKE, P., BEATTIE, S., GRIER, A., WAGLE, P., and ZHANG, Q. Stackguard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In Proceedings of the USENIX Security Symposium (1998).
11. th ACM Conference on Computer and Communications Security (CCS) (November 2005).
12. CUI, W., PEINADO, M., WANG, H. J., and LOCASTO, M. E. ShieldGen: Automated Data Patch Generation for Unknown Vulnerabilities with Informed Probing. In Proceedings of the IEEE Symposium on Security and Privacy (May 2007).
13. DETRISTAN, T., ULENSPIEGEL, T., MALCOM, Y., and VON UNDERDUK, M. S. Polymorphic Shellcode Engine Using Spectrum Analysis. Phrack 11, 61-9 (2003).
14. EREN, S. Smashing the Kernel Stack for Fun and Profit. Phrack 11, 60-6 (2003).
15. ETOH, J. GCC Extension for Protecting Applications From Stack-smashing Attacks. In httpa://www.trl.ibm.com/projects/security/ssp (June 2000).
16. FERRIE, P., and SZÖR, P. Zmist Opportunities. httpa://pferrie. tripod.com/papers/zmistpdf, 2005.
17. th ACM Conference on Computer and Communications Security (CCS) (2006), pp. 59-68.
18. JOSHI, A., KING, S. T., DUNLAP, G. W., and CHEN, P. M. Detecting Past and Present Intrusions through Vulnerability-Specific Predicates. In Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP) (October 2005).
19. K2. ADMmutate documentation, 2003. httpa://www.ktwo.ca/ADMmutate-0.8.4. tar.gz.
20. th ACM Conference on Computer and Communications Security (CCS) (October 2003), pp. 272-280.
21. th International Symposium on Recent Advances in Intrusion Detection (RAID) (2006).
22. KIM, H.-A., and KARP, B. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proceedings of the USENIX Security Conference (2004).
23. KRUGEL, C., KIRDA, E., MUTZ, D., ROBERTSON, W., and VIGNA, G. Polymorphic Worm Detection Using Structural Information of Executables. In Proceedings of the 8th International Symposium on Recent Advances in Intrusion Detection (RAID) (September 2005), pp. 207-226.
24. th ACM Conference on Computer and Communications Security (CCS) (November 2005).
25. th International Symposium on Recent Advances in Intrusion Detection (RAID) (September 2005), pp. 82-101.
26. METASPLOIT DEVELOPEMENT TEAM. Metasploit Project, 2006. httpa://www.metasploit.com.
27. NETHERCOTE, N., and SEWARD, J. Valgrind: A Program Supervision Framework. In Electronic Notes in Theoretical Computer Science (2003), vol. 89.
28. NEWSOME, J., KARP, B., and SONG, D. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In Proceedings of the IEEE Symposium on Security and Privacy (May 2005).
29. th Symposium on Network and Distributed System Security (NDSS) (February 2005).
30. OBSCOU. Building IA32 'Unicode-Proof' Shellcodes. Phrack 11, 61-11 (2003).
31. POLYCHRONAKIS, M., ANAGNOSTAKIS, K. G., and MARKATOS, E. P. Network-level polymorhpic shellcode detection using emulation. In Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) (2006).
32. Rix. Writing IA-32 Alphanumeric Shellcodes. Phrack 11, 57-15 (2001).
33. RUSSELL, S., and NORVIG, P. Artificial Intelligence: A Modern Approach. Prentice Hall, 2002.
34. th Information Security Conference (ISC) (September 2005), pp. 1-15.
35. SINGH, S., ESTAN, C., VARGHESE, G., and SAVAGE, S. Automated Worm Fingerprinting. In Proceedings of Symposium on Operating Systems Design and Implementation (OSDI) (2004).
36. SNORT DEVELOPMENT TEAM. Snort Project. httpa://www.snort.org/.
37. SPINELLIS, D. Reliable identification of bounded-length viruses is NP-complete. IEEE Transactions on Information Theory 49, 1 (January 2003), 280-284.
38. th International Symposium on Recent Advances in Intrusion Detection (RAID) (October 2002), pp. 274-291.
39. WANG, H. J., GUO, C., SIMON, D. R., and ZUGENMAIER, A. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In Proceedings of the ACM SIGCOMM Conference (August 2004), pp. 193-204.
40. th International Symposium on Recent Advances in Intrusion Detection (RAID) (September 2005), pp. 227-246.
41. th International Symposium on Recent Advances in Intrusion Detection (RAID) (September 2004), pp. 203-222.
42. th USENIX Security Symposium (2006), pp. 225-240.
43. th ACM Conference on Computer and Communications Security (CCS) (November 2005).
44. th USENIX Security Symposium (2005).