Home

Services

Markets

Knowledge

Research

Cases

Blog

Company

Contact

Services
Systems & vulnerability research
Capability development
Defensive design
Knowledge
Research
Cases
Blog

sales[  ]midnightblue[  ]nl

PGP (0x9035856DF1D41F73)

Work with us
October, 2014
10 Minutes
Research

Overview

Evading Emulation-Based Network Intrusion Detection Systems

Abstract

Emulation-based network intrusion detection systems have been devised to detect the presence of shellcode in network traffic by trying to execute (portions of) the network packet payloads in an instrumented environment and checking the execution traces for signs of shellcode activity. Emulation-based network intrusion detection systems are regarded as a significant step forward with regards to traditional signature-based systems, as they allow detecting polymorphic (i.e., encrypted) shellcode.

In this paper we investigate and test the actual effectiveness of emulation-based detection and show that the detection can be circumvented by employing a wide range of evasion techniques, exploiting weakness that are present at all three levels in the detection process. We draw the conclusion that current emulation-based systems have limitations that allow attackers to craft generic shellcode encoders able to circumvent their detection mechanisms.

Publications

Date

Type

Title

Venue

17-09-2014

Academic paper

On Emulation-Based Network Intrusion Detection Systems

RAID

August 2014

Conference talk

APTs way: Evading Your EBNIDS

Black Hat EU

RAID PaperBlack Hat paperBlack Hat slides

Conference recordings

Related knowledge items

All items

Sep 2024
Cases

Case studies coming Soon

We are currently in the process of writing several case studies regarding experiences and engagements througout our clientele. Check back soon.

Read more

0
Aug 2023
Research

RE:TETRA CVEs

During our TETRA:BURST research, we found numerous vulnerabilities in TETRA equipment and underlying technologies. This page is an overview of the findings.

Read more

10 Minutes