Your browser does not support JavaScript!

Home    Generic detection of code injection attacks using network-level emulation  

Results - Details

Add to Basket
[Add to Basket]
Identifier 000355147
Title Generic detection of code injection attacks using network-level emulation
Alternative Title Ανίχνευση επιθέσεων κακόβουλου κώδικα με χρήση εξομοίωσης
Author Πολυχρονάκης, Μιχαήλ Ιωάννη
Thesis advisor Μαρκάτος, Ευάγγελος Π
Abstract Code injection attacks against server and client applications have become the primary method of malware spreading. Identifying the shellcode that is part of the attack vector is a promising approach for the detection of previously unknown code injection attacks, irrespective of the particular exploitation method used or the vulnerability being exploited. Initial implementations of this approach attempt to identify the presence of shellcode in network inputs using static code analysis. However, attack detection methods based on static analysis cannot effectively handle malicious code that employs advanced obfuscation methods such as anti-disassembly tricks or self-modifying code. In this dissertation we present network-level emulation, a generic code injection attack detection method based on dynamic code analysis using emulation. Our prototype attack detection system, called Nemu, uses a CPU emulator to dynamically analyze valid instruction sequences in the inspected traffic. Based on runtime behavioral heuristics, the system identifies inherent patterns exhibited during the execution of the shellcode, and thus can identify the presence of malicious code in arbitrary inputs. We have developed heuristics that cover the most widely used shellcode types, including self-decrypting and non-self-contained polymorphic shellcode, plain or metamorphic shellcode, and memory-scanning shellcode. Network-level emulation does not rely on any exploit or vulnerability specific signatures, which allows the detection of previously unknown attacks. At the same time, the actual execution of the attack code on a CPU emulator makes the detector robust to evasion techniques like indirect jumps and self-modifications. Furthermore, each input is inspected autonomously, which makes the approach effective against targeted attacks. Our experimental evaluation with publicly available shellcode implementations and real attacks captured in the wild, shows that Nemu is more robust to obfuscation techniques compared to previous proposals, while it can effectively detect a large and diverse set of different shellcode implementations without any prior exploit-specific information. At the same time, extensive testing using a large and diverse set of generated and real data did not produce any false positives. To assess the effectiveness of our approach under realistic conditions we have deployed Nemu in several production networks. Over the course of more than one year of continuous operation, Nemu has detected more than 1.2 million attacks against real systems. The large and diverse set of the detected attacks combined with the zero false positive rate over the whole period demonstrate the effectiveness and practicality of our approach. We provide a thorough analysis of the captured attacks, focusing on the structure and operation of the shellcode, as well as the overall attack activity in relation to the different targeted services. Finally, we identify challenges faced by existing network trace anonymization schemes for the sharing of attack traces that contain self-decrypting shellcode. To alleviate this problem, we present an anonymization method that identifies and properly sanitizes sensitive information contained in the encrypted part of polymorphic shellcodes, which is not exposed on the wire.
Language English
Issue date 2009-10-27
Collection   School/Department--School of Sciences and Engineering--Department of Computer Science--Doctoral theses
  Type of Work--Doctoral theses
Views 642

Digital Documents
No preview available

Download document
View document
Views : 30