slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Real Time Polymorphic Shellcode Detection PowerPoint Presentation
Download Presentation
Real Time Polymorphic Shellcode Detection

Loading in 2 Seconds...

play fullscreen
1 / 5

Real Time Polymorphic Shellcode Detection - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

Real Time Polymorphic Shellcode Detection. Evgeny Pinchuk (evgenyp@radware.com) Radware SOC Team. Introduction. Techniques for detecting buffer overruns Protocol inspection for anomalies Exploitation payload detection What’s a shellcode Pattern matching Definition of polymorphism

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Real Time Polymorphic Shellcode Detection' - garan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Real Time Polymorphic Shellcode Detection

Evgeny Pinchuk (evgenyp@radware.com)

Radware SOC Team

introduction
Introduction
  • Techniques for detecting buffer overruns
    • Protocol inspection for anomalies
    • Exploitation payload detection
  • What’s a shellcode
  • Pattern matching
  • Definition of polymorphism
    • In order to execute encrypted code, we must decrypt it first.
  • Differences between AV and IDS/IPS
    • Speed
    • Accuracy of executed code
polymorphic vs regular
Polymorphic vs. Regular
  • Regular Shellcode

NOP Sled

Shellcode

Padding

Return Address

  • Polymorphic Shellcode

NOP Sled

Decipher Engine

Shellcode*

Padding

Return Address

* Ciphered shellcode

current techniques for detection
Current techniques for detection
  • Counting NOP (or fake NOP) instructions
    • CPU consuming (making it not RT)
    • High false positives rate
  • Spectrum Analysis
    • High false positives
    • Beatable by four bytes encryption
  • Code emulation
    • CPU consuming (making it not RT)
  • Data Mining
    • Involves network learning mechanisms
    • High false positives rate
    • Preferred solution
the end
The End

Lets open the discussion !!!