On the Infeasibility of Modeling Polymorphic Shellcode Re-Thinking the Role of Learning in Intrusion Detection Systems

Download Now Date Added: Oct 2009
Format: PDF

Current trends demonstrate an increasing use of polymorphism by attackers to disguise their exploits. The ability for malicious code to be easily, and automatically, transformed into semantically equivalent variants frustrates attempts to construct simple, easily verifiable representations for use in security sensors. In this paper, the authors present a quantitative analysis of the strengths and limitations of shellcode polymorphism, and describe the impact that these techniques have in the context of learning-based IDS systems. The examination focuses on dual problems: shellcode encryption-based evasion methods and targeted "Blending" attacks. Both techniques are currently being used in the wild, allowing real exploits to evade IDS sensors.