As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ evasion techniques such as code obfuscation and polymorphism to defeat existing defenses. We have recently proposed network-level emulation, a heuristic detection method that scans network traffic to detect polymorphic attacks. Our approach uses a CPU emulator to dynamically analyze every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of certain malicious code classes, such as self-decrypting polymorphic shellcode. In this paper, we present results and experiences from deployments of network-level emulation in production networks. After more than a year of continuous operation, our prototype implementation has captured more than a million attacks against real systems, while so far has not resulted to any false positives. The observed attacks employ a highly diverse set of exploits, often against less widely used vulnerable services, and in some cases, sophisticated obfuscation schemes.
[1]
Vinod Yegneswaran,et al.
Internet intrusions: global characteristics and prevalence
,
2003,
SIGMETRICS '03.
[2]
Peter Szor,et al.
The Art of Computer Virus Research and Defense
,
2005
.
[3]
Acknowledgments
,
2006,
Molecular and Cellular Endocrinology.
[4]
Evangelos P. Markatos,et al.
Network-level polymorphic shellcode detection using emulation
,
2006,
Journal in Computer Virology.
[5]
Niels Provos,et al.
The Ghost in the Browser: Analysis of Web-based Malware
,
2007,
HotBots.
[6]
Evangelos P. Markatos,et al.
Emulation-Based Detection of Non-self-contained Polymorphic Shellcode
,
2007,
RAID.
[7]
Niels Provos,et al.
All Your iFRAMEs Point to Us
,
2008,
USENIX Security Symposium.