Real-World Polymorphic Attack Detection
Source: Institute for Infocomm Research
As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ evasion techniques such as code obfuscation and polymorphism to defeat existing defenses. The authors have recently proposed network-level emulation, a heuristic detection method that scans network traffic to detect polymorphic attacks. The approach uses a CPU emulator to dynamically analyze every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of certain malicious code classes, such as self-decrypting polymorphic shellcode. In this paper, they present results and experiences from deployments of network-level emulation in production networks. After more than a year of continuous operation, the prototype implementation has captured more than a million attacks against real systems, while so far has not resulted to any false positives.