Artificial intelligence: a modern approach
Artificial intelligence: a modern approach
Countering code-injection attacks with instruction-set randomization
Proceedings of the 10th ACM conference on Computer and communications security
Randomized instruction set emulation to disrupt binary code injection attacks
Proceedings of the 10th ACM conference on Computer and communications security
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Detecting past and present intrusions through vulnerability-specific predicates
Proceedings of the twentieth ACM symposium on Operating systems principles
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Fast and automated generation of attack signatures: a basis for building self-protecting servers
Proceedings of the 12th ACM conference on Computer and communications security
Automatic diagnosis and response to memory corruption vulnerabilities
Proceedings of the 12th ACM conference on Computer and communications security
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
Towards Automatic Generation of Vulnerability-Based Signatures
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Evading network anomaly detection systems: formal reasoning and practical techniques
Proceedings of the 13th ACM conference on Computer and communications security
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Address obfuscation: an efficient approach to combat a board range of memory error exploits
SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Detecting targeted attacks using shadow honeypots
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
SigFree: a signature-free buffer overflow attack blocker
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
StackGuard: automatic adaptive detection and prevention of buffer-overflow attacks
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Transparent run-time defense against stack smashing attacks
ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
Accurate buffer overflow detection via abstract payload execution
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Network–Level polymorphic shellcode detection using emulation
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
FLIPS: hybrid adaptive intrusion prevention
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anomalous payload-based worm detection and signature generation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A fast static analysis approach to detect exploit code inside network flows
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A dynamic mechanism for recovering from buffer overflow attacks
ISC'05 Proceedings of the 8th international conference on Information Security
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Reliable identification of bounded-length viruses is NP-complete
IEEE Transactions on Information Theory
Swarm Attacks against Network-Level Emulation/Analysis
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Proceedings of the 15th ACM conference on Computer and communications security
ASSURE: automatic software self-healing using rescue points
Proceedings of the 14th international conference on Architectural support for programming languages and operating systems
McPAD: A multiple classifier system for accurate payload-based anomaly detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Proceedings of the 2008 workshop on New security paradigms
Self-healing: science, engineering, and fiction
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
Proceedings of the 16th ACM conference on Computer and communications security
A framework for quantitative security analysis of machine learning
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Active learning for network intrusion detection
Proceedings of the 2nd ACM workshop on Security and artificial intelligence
Adaptive Anomaly Detection via Self-calibration and Dynamic Updating
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Towards tamper resistant code encryption: practice and experience
ISPEC'08 Proceedings of the 4th international conference on Information security practice and experience
Journal of Intelligent Information Systems
Mining frequent patterns from network flows for monitoring network
Expert Systems with Applications: An International Journal
An empirical study of real-world polymorphic code injection attacks
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
KIDS: keyed intrusion detection system
DIMVA'10 Proceedings of the 7th international conference on Detection of intrusions and malware, and vulnerability assessment
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Comprehensive shellcode detection using runtime heuristics
Proceedings of the 26th Annual Computer Security Applications Conference
Heap Taichi: exploiting memory allocation granularity in heap-spraying attacks
Proceedings of the 26th Annual Computer Security Applications Conference
An artificial intelligence membrane to detect network intrusion
Artificial Life and Robotics
Cross-Domain collaborative anomaly detection: so far yet so close
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Polymorphic worms detection using Extended PolyTree
Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology
N-Gram against the machine: on the feasibility of the n-gram network analysis for binary protocols
RAID'12 Proceedings of the 15th international conference on Research in Attacks, Intrusions, and Defenses
Security analysis of online centroid anomaly detection
The Journal of Machine Learning Research
| Hi-index | 0.00 |
Polymorphic malcode remains a troubling threat. The ability formal code to automatically transform into semantically equivalent variants frustrates attempts to rapidly construct a single, simple, easily verifiable representation. We present a quantitative analysis of the strengths and limitations of shellcode polymorphism and consider its impact on current intrusion detection practice. We focus on the nature of shellcode decoding routines. The empirical evidence we gather helps show that modeling the class of self-modifying code is likely intractable by known methods, including both statistical constructs and string signatures. In addition, we develop and present measures that provide insight into the capabilities, strengths, and weaknesses of polymorphic engines. In order to explore countermeasures to future polymorphic threats, we show how to improve polymorphic techniques and create a proof-of-concept engine expressing these improvements. Our results indicate that the class of polymorphic behavior is too greatly spread and varied to model effectively. Our analysis also supplies a novel way to understand the limitations of current signature-based techniques. We conclude that modeling normal content is ultimately a more promising defense mechanism than modeling malicious or abnormal content.