Real-world Polymorphic Attack Detection
Tuesday October 5, 2010, 11:00 am in MCS 135
Speaker: Evangelos Markatos
Abstract: As state-of-the-art attack detection technology becomes more prevalent, attackers have started to employ evasion techniques such as code obfuscation and polymorphism to defeat existing defenses. We have recently proposed network-level emulation, a heuristic detection method that scans network traffic to detect polymorphic attacks. Our approach uses a CPU emulator to dynamically analyze every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of certain malicious code classes, such as self-decrypting polymorphic shellcode. In this work, we present results and experiences from deployments of network-level emulation in production networks. After more than a year of continuous operation, our prototype implementation has
captured more than a million attacks against real systems, while so far has not resulted to any false positives. The observed attacks employ a highly diverse set of exploits, often against less widely used vulnerable services, and in some cases, sophisticated obfuscation schemes.
Short Bio: Prof. Evangelos Markatos received his diploma in Computer Engineering from the University of Patras in 1988, and the M.S and Ph.D. degrees in Computer Science from the University of Rochester, NY in 1990 and 1993 respectively. Since 1992, he collaborates with the Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-FORTH) where he is currently the founder and head of the Distributed Computing Systems Laboratory. He conducts research in several areas including distributed and parallel systems, the World-Wide Web, Internet Systems and Technologies, as well as Computer and Communication Systems Security. He has been the project manager of the LOBSTER and NoAH projects, both funded in part by the European Union and focusing on developing novel approaches to network monitoring and network security. He is currently the project manager of the i-code and SysSec projects. Since 1992, he has also been affiliated with the Computer Science Department of the University of Crete, where he is currently a full Professor.
Host: Mark Crovella