Real Time Polymorphic Shellcode Detection

Real Time Polymorphic Shellcode Detection Evgeny Pinchuk (evgenyp@radware.com) Radware SOC Team

Introduction • Techniques for detecting buffer overruns • Protocol inspection for anomalies • Exploitation payload detection • What’s a shellcode • Pattern matching • Definition of polymorphism • In order to execute encrypted code, we must decrypt it first. • Differences between AV and IDS/IPS • Speed • Accuracy of executed code

Polymorphic vs. Regular • Regular Shellcode NOP Sled Shellcode Padding Return Address • Polymorphic Shellcode NOP Sled Decipher Engine Shellcode* Padding Return Address * Ciphered shellcode

Current techniques for detection • Counting NOP (or fake NOP) instructions • CPU consuming (making it not RT) • High false positives rate • Spectrum Analysis • High false positives • Beatable by four bytes encryption • Code emulation • CPU consuming (making it not RT) • Data Mining • Involves network learning mechanisms • High false positives rate • Preferred solution

The End Lets open the discussion !!!

Real Time Polymorphic Shellcode Detection

Real Time Polymorphic Shellcode Detection

Presentation Transcript

Shellcode

Ox500. Shellcode

Robust real-time face detection

Polymorphic Malware Detection

“Real-time” Transient Detection Algorithms

English Shellcode

Port binding shellcode

Robust Real-Time Face Detection

Robust Real-time Object Detection

Real Time Pattern Detection

Shellcode 작성

Real Time Skin Motion Detection

Real-Time Multivariate Detection from Single Cells

Polymorphic Worm Detection by Instruction Distribution

Towards real-time camera based logos detection

Comprehensive Shellcode Detection using Runtime Heuristics

Real Time Bursty Topic Detection from Twitter

Shellcode

Robust Real-Time Object Detection

Real-time Solar neutrino detection with Borexino

Real Time Eye Blinking and Yawning Detection