Polymorphic blending attacks

15th USENIX Security Symposium

Volumn , Issue , 2006, Pages 241-256

  Fogla, Prahlad ^a   Sharif, Monirul ^a   Perdisci, Roberto ^a   Kolesnikov, Oleg ^a   Lee, Wenke ^a  

^a Georgia Institute of Technology   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

BLENDING; COMPUTER CRIME; INTRUSION DETECTION;

ANOMALY BASED INTRUSION DETECTION SYSTEMS; INTRUSION DETECTION SYSTEMS; NETWORK ANOMALIES;

NETWORK SECURITY;

EID: 85077703150     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (37)

1. P. Akritidis, E. P. Markatos, M. Polychronakis, and K. D. Anagnostakis. Stride: Polymorphic sled detection through instruction sequence analysis. In Proceedings of the 20th IFIP International Information Security Conference (IFIP/SEC 2005), 2005.
2. R. Chinchani and E.V.D. Berg. A fast static analysis approach to detect exploit code inside network flows. In Recent Advances in Intrusion Detection, 2005.
3. M. Christodorescu, S. Jha, S. Seshia, D. Song, and R. Bryant. Semantics-aware malware detection. In Proceeding of the IEEE Security and Privacy Conference, 2005.
4. T. H. Cormen, C. E. Leiserson, and R. L. Rivest. Introduction to algorithms. The MIT Press, 1990.
5. T. Detristan, T. Ulenspiegel, Y. Malcom, and M. Underduk. Polymorphic shellcode engine using spectrum analysis. Phrack Issue 0x3d, 2003.
6. H. Feng, J. Giffin, Y. Huang, S. Jha, W. Lee, and B. Miller. Formalizing sensitivity in static analysis for intrusion detection. In Proceedings the IEEE Symposium on Security and Privacy, 2004.
7. H. Feng, O. Kolesnikov, P. Fogla, W. Lee, and W. Gong. Anomaly detection using call stack information. In Proceedings of the IEEE Security and Privacy Conference, 2003.
8. Firew0rker. Windows media services remote command execution exploit. http://www.k-otik.com/exploits/07.01.nsiilogtitbit.cpp.php, 2003.
9. S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff. A sense of self for unix processes. In Proceedings of the IEEE Symposium on Security and Privacy, 1996.
10. Threat Intelligence Group. Phatbot trojan analysis. http://www.lurhq.com/phatbot.html.
11. M. Handley and V. Paxson. Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In 10th USENIX Security Symposium, 2001.
12. O. M. Kolesnikov, D. Dagon, and W. Lee. Advanced polymorphic worms: Evading IDS by blending in with normal traffic. Technical Report GIT-CC-04-13, College of Computing, Georgia Tech, 2004.
13. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Automating mimicry attacks using static binary analysis. In 14th Usenix Security Symposium, 2005.
14. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymorphic worm detection using structural information of executables. In Recent Advances in Intrusion Detection, 2005.
15. C. Kruegel, T. Toth, and E. Kirda. Service specific anomaly detection for network intrusion detection. In Proceedings of ACM SIGSAC, 2002.
16. C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In Proceedings of ACM CCS, pages 251–261, 2003.
17. Ktwo. Admmutate: Shellcode mutation engine. http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz, 2001.
18. M. Mahoney. Network traffic anomaly detection based on packet bytes. In Proceedings of ACM SIGSAC, 2003.
19. M. Mahoney and P.K. Chan. Learning nonstationary models of normal network traffic for detecting novel attacks. In Proceedings of SIGKDD, 2002.
20. J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceeding of the IEEE Security and Privacy Conference, 2005.
21. R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif. Misleading worm signature generators using deliberate noise injection. In Proceedings of the IEEE Security and Privacy Conference, 2006.
22. T.H. Ptacek and T.N. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical Report T2R-0Y6, Secure Networks, Inc., 1998.
23. Rain Forest Puppy. A look at whisker’s anti- ids tactics just how bad can we ruin a good thing? www.wiretrip.net/rfp/txt/whiskerids.html, 1999.
24. S. Rubin, S. Jha, and B.P. Miller. Automatic generation and analysis of nids attacks. In Annual Computer Security Applications Conference (ACSAC), 2004.
25. M. Sedalo. Jempiscodes: Polymorphic shellcode generator. www.shellcode.com.ar/en/proyectos.html.
26. D. Song. Fragroute: a tcp/ip fragmenter. www.monkey.org/∼dugsong/fragroute, 2002.
27. Sal Stolfo. Personal communication. 2005.
28. P. Szor. Advanced code evolution techniques and computer virus generator kits. The Art of Computer Virus Research and Defense, 2005.
29. K.M.C. Tan, K.S. Killourhy, and R.A. Maxion. Undermining an anomaly-based intrusion detection system using common exploits. In Recent Advances in Intrusion Detection, 2002.
30. T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract payload execution. In Recent Advances in Intrusion Detection, 2002.
31. G. Vigna, W. Robertson, and D. Balzarotti. Testing network-based intrusion detection signatures using mutant exploits. In Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS), pages 21–30, 2004.
32. D. Wagner and D. Dean. Intrusion detection via static analysis. In Proceeding of IEEE Symposium on Security and Privacy, 2001.
33. D. Wagner and P. Soto. Mimicry attacks on host-based intrusion detection systems. In Proceedings of the ACM Conference on Computer and Communication Security (ACM CCS), 2002.
34. H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: Vulnerability-driven network filters for preventing known vulnerability exploits. In the Proceedings of ACM SIGCOMM, 2004.
35. K. Wang and S. Stolfo. Anomalous payload-based network intrusion detection. In Recent Advances in Intrusion Detection, 2004.
36. K. Wang and S. Stolfo. Anomalous payload-based worm detection and signature generation. In Recent Advances in Intrusion Detection, 2005.
37. T. Yetiser. Polymorphic viruses: Implementation, detection, and protection. Technical report, VDS Advanced Research Group, 1993.