On Fri, 2008-02-15 at 21:43 +0000, [EMAIL PROTECTED] wrote: > >Oddly enough, I just published a paper on >shellcode encoding for evading > >network security/monitoring systems that cites >two different projects > >that attempt to do this type of thing for >shellcode in real-time in a > >sandbox environment, however they both were not >ID/PS systems: > > > >http://www.uninformed.org/?v=9&a=3&t=sumry > > I checked your biblio and much of the existing work done in the area of > IDS/IPS evasion using payload customization and attack blending is not > mentioned there.
The two citations I was referring to in my paper were 4 and 5, and as I mentioned, were NOT ID/PS systems. Also, my paper is (in a nutshell) about applying the approach of keyed cryptography (i.e, keeping the key secret) to payload encoding in an effort to avoid automated analysis or forensics, not necessarily about ID/PS evasion (no ID/PSs I am aware of currently try to do this, hence the discussion in this thread). These differences in subject-matter are why there were no references to previous research regarding payload polymorphism and attack blending. My original point was that even though ID/PSs aren't currently doing this, it doesn't mean that other types of systems aren't. > Have you seen the paper from Georgia Tech Information Security Group by > Kolesnikov and Lee on polymorphic blending published in 2004? > > 1.Kolesnikov, Lee > Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, > http://smartech.gatech.edu/handle/1853/6485 > > The paper described creating custom attacks/payloads based on knowledge about > the target network so as to evade IDS. I had, and it's very interesting research. The difference in that research effort versus contextual keying is that rather than attempting to, for example, disguise yourself as a tree when romping about a forest, a contextual-keyed encoded payload doesn't care if you can pick it out of the environment because without the context-key it won't decode and reveal what it's doing, like hiding inside a cabin in that same forest; the cabin is easy to see, however without the key to unlock the door an observer won't know what's going on inside. -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc.
signature.asc
Description: This is a digitally signed message part
