Return to search

Architecture for generic detection of machine code injection in computer networks

Since the creation of public exploitation frameworks, advanced payloads are used in computer attacks. The attacks generally employ evasion techniques, have anti-forensics capabilities, and use target machines as pivots to reach other machines in the network. The attacks also use polymorphic malicious code that automatically transforms themselves in semantically equivalent variants, which makes them difficult to be detected. The current approaches that try to detect the attacks, fail because they either generate high number of false positives or require high performance capability to work properly. This thesis proposes an architecture for advanced payload detection structured in layers that employ a variant of techniques. The first layers use less computing intensive techniques while the last layers make use of smarter inspection techniques. Fine-grained checks are possible due to the layered approach. For instance, the first layer employs pattern matching while the last layer uses smart network traffic disassembly. In order to improve performance in the detection of forthcoming attacks, the proposed architecture allows the updates of checking rules for more frequently detected attacks. The proposed architecture addresses the high rate false-positives problem using a confidence level updated accordingly to the threat level observed by each layer. We implemented the architecture using real-life workloads and conventional hardware platforms with acceptable throughput. We also contribute with the creation of the well-known Return Address layer optimizing the instruction emulation.

Identiferoai:union.ndltd.org:IBICT/oai:agregador.ibict.br.BDTD_ITA:oai:ita.br:2116
Date03 June 2012
CreatorsRodrigo Rubira Branco
ContributorsCelso Massaki Hirata
PublisherInstituto Tecnológico de Aeronáutica
Source SetsIBICT Brazilian ETDs
LanguageEnglish
Detected LanguageEnglish
Typeinfo:eu-repo/semantics/publishedVersion, info:eu-repo/semantics/masterThesis
Formatapplication/pdf
Sourcereponame:Biblioteca Digital de Teses e Dissertações do ITA, instname:Instituto Tecnológico de Aeronáutica, instacron:ITA
Rightsinfo:eu-repo/semantics/openAccess

Page generated in 0.0096 seconds