Focus on IDS
Back to list
Re: Obfuscated web pages
Feb 15 2008 09:43PM
partner50113371 vansoftcorp com
Re: Obfuscated web pages
Feb 20 2008 10:28PM
Dustin D. Trammell (dtrammell bpointsys com)
On Fri, 2008-02-15 at 21:43 +0000, partner50113371 (at) vansoftcorp (dot) com [email concealed]
> >Oddly enough, I just published a paper on >shellcode encoding for evading
> >network security/monitoring systems that cites >two different projects
> >that attempt to do this type of thing for >shellcode in real-time in a
> >sandbox environment, however they both were not >ID/PS systems:
> I checked your biblio and much of the existing work done in the area of IDS/IPS evasion using payload customization and attack blending is not mentioned there.
The two citations I was referring to in my paper were 4 and 5, and as I
mentioned, were NOT ID/PS systems. Also, my paper is (in a nutshell)
about applying the approach of keyed cryptography (i.e, keeping the key
secret) to payload encoding in an effort to avoid automated analysis or
forensics, not necessarily about ID/PS evasion (no ID/PSs I am aware of
currently try to do this, hence the discussion in this thread). These
differences in subject-matter are why there were no references to
previous research regarding payload polymorphism and attack blending.
My original point was that even though ID/PSs aren't currently doing
this, it doesn't mean that other types of systems aren't.
> Have you seen the paper from Georgia Tech Information Security Group by Kolesnikov and Lee on polymorphic blending published in 2004?
> 1.Kolesnikov, Lee
> Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,
> The paper described creating custom attacks/payloads based on knowledge about the target network so as to evade IDS.
I had, and it's very interesting research. The difference in that
research effort versus contextual keying is that rather than attempting
to, for example, disguise yourself as a tree when romping about a
forest, a contextual-keyed encoded payload doesn't care if you can pick
it out of the environment because without the context-key it won't
decode and reveal what it's doing, like hiding inside a cabin in that
same forest; the cabin is easy to see, however without the key to unlock
the door an observer won't know what's going on inside.
Dustin D. Trammell
BreakingPoint Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
-----END PGP SIGNATURE-----
[ reply ]
Copyright 2010, SecurityFocus