1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Content Aware Networks

Smashing the Stack for Fun and Profit

New Solutions to New Threats. The Threats, They Are A Changing Page 2 | © 2008 Palo Alto Networks. Proprietary and Confidential.

Detecting Return-to-libc Buffer Overflow Attacks Using Network Intrusion Detection Systems Presented By: Ankush Jindal(2009CS50234) Jatin Kumar(2009CS50243)

An in depth analysis of CVE

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Using Cell Processors for Intrusion Detection through Regular Expression Matching with Speculation Author: C˘at˘alin Radu, C˘at˘alin Leordeanu, Valentin.

NETWORK SECURITY INTRUSION DETECTION SYSTEMS (IDS) KANDIAH.M Clarkson University, Potsdam, New York.

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

Buffer Overflow. Process Memory Organization.

© Tan,Steinbach, Kumar Introduction to Data Mining 1/17/ Data Mining Anomaly Detection Figures for Chapter 10 Introduction to Data Mining by Tan,

Worms: Taxonomy and Detection Mark Shaneck 2/6/2004.

Polymorphism in Computer Viruses CS265 Security Engineering Term Project Puneet Mishra.

1 Improving Hash Join Performance through Prefetching _________________________________________________By SHIMIN CHEN Intel Research Pittsburgh ANASTASSIA.

Metamorphic Viruses Pat Walpole. Introduction What are metamorphic viruses Why they are dangerous Defenses against them.

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

INPUT/OUTPUT ARCHITECTURE By Truc Truong. Input Devices Keyboard Keyboard Mouse Mouse Scanner Scanner CD-Rom CD-Rom Game Controller Game Controller.

Intrusion Detection/Prevention Systems. Objectives and Deliverable Understand the concept of IDS/IPS and the two major categorizations: by features/models,

ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Yet Another Heapspray Detector Danny Kovach Raytheon SI.

Operating system Security By Murtaza K. Madraswala.

Hunting for Metamorphic Engines Wing Wong Mark Stamp Hunting for Metamorphic Engines 1.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Telecommunications Networking II Lecture 41f Viruses and Worms.

Protecting Satellite Networks from Disassociation DoS Attacks Protecting Satellite Networks from Disassociation DoS Attacks (2010 IEEE International Conference.

1 LD-Sketch: A Distributed Sketching Design for Accurate and Scalable Anomaly Detection in Network Data Streams Qun Huang and Patrick P. C. Lee The Chinese.

Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,

Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.

Defending Against Internet Worms: A Signature-Based Approach Aurthors: Yong Tang, and Shigang Chen Publication: IEEE INFOCOM'05 Presenter : Richard Bares.

 Introduction  Related Work  Challenges for Software-based CPU Emulation Detection Approaches  Our Approach  Evaluation  Limitations 2 A Seminar.

Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Authors: Oleg Kolensnikov and Wenke Lee Published: Technical report, 2005, College.

Exploiting Temporal Persistence to Detect Covert Botnet Channels Authors: Frederic Giroire, Jaideep Chandrashekar, Nina Taft… RAID 2009 Reporter: Jing.

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.

2012 IEEE/IPSJ 12 th International Symposium on Applications and the Internet 陳盈妤 1/10.

EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.

Blue Lane Technologies Best of Breed IPS April 29, 2008 Interop 2008.

Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.

Design Lines for a Long Term Competitive IDS Erwan Lemonnier KTH-IT / Defcom.

CS5261 Information Security CS 526 Topic 15 Malware Defense & Intrusion Detection Topic 15: Malware Defense.

Shellcode COSC 480 Presentation Alison Buben.

Buffer Overflows ...or How I Learned to Never Trust the User

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Techniques, Tools, and Research Issues

Operating system Security

CSC 495/583 Topics of Software Security Stack Overflows (2)

Components of Computer

James Logan CS526 Dr. Chow April 29, 2009

Executive Director and Endowed Chair

Executive Director and Endowed Chair

Operating Systems Chapter 5: Input/Output Management

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.

Week 2: Buffer Overflow Part 2.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

FIGURE Illustration of Stack Buffer Overflow

Several Tips on Project 1

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Presentation transcript:

1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team

2 Introduction Techniques for detecting buffer overruns –Protocol inspection for anomalies –Exploitation payload detection What’s a shellcode Pattern matching Definition of polymorphism –In order to execute encrypted code, we must decrypt it first. Differences between AV and IDS/IPS –Speed –Accuracy of executed code

3 Polymorphic vs. Regular Regular Shellcode NOP SledShellcodePaddingReturn Address Polymorphic Shellcode NOP SledDecipher EngineShellcode*PaddingReturn Address * Ciphered shellcode

4 Current techniques for detection Counting NOP (or fake NOP) instructions –CPU consuming (making it not RT) –High false positives rate Spectrum Analysis –High false positives –Beatable by four bytes encryption Code emulation –CPU consuming (making it not RT) Data Mining –Involves network learning mechanisms –High false positives rate –Preferred solution

5 The End Lets open the discussion !!!