>Oddly enough, I just published a paper on >shellcode encoding for evading
>network security/monitoring systems that cites >two different projects >that attempt to do this type of thing for >shellcode in real-time in a >sandbox environment, however they both were not >ID/PS systems: > >http://www.uninformed.org/?v=9&a=3&t=sumry I checked your biblio and much of the existing work done in the area of IDS/IPS evasion using payload customization and attack blending is not mentioned there. Have you seen the paper from Georgia Tech Information Security Group by Kolesnikov and Lee on polymorphic blending published in 2004? 1.Kolesnikov, Lee Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, http://smartech.gatech.edu/handle/1853/6485 The paper described creating custom attacks/payloads based on knowledge about the target network so as to evade IDS. Also, see the following follow-up work from UC Berkeley and CMU: 1. Song, Newsome, et al. Polygraph: Automatically Generating Signatures for Polymorphic Worms http://www.cs.berkeley.edu/~dawnsong/papers/polygraph.pdf The work suggests ways to address the threat and discussed possible solutions. 2. Fogla, Sharif, et al. Polymorphic Blending Attacks http://www.usenix.org/events/sec06/tech/fogla.html The work formalizes the concept of polymorphic blending attacks. Roy ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
