Content deleted Content added
added letter g this was meant to be 'signatures' |
m →Polymorphism: clean up, replaced: IEEE Security Privacy → IEEE Security & Privacy |
||
Line 12:
=== Polymorphism ===
Signature-based IDS often look for common attack patterns to match malicious traffic to signatures. To detect [[buffer overflow]] attacks, an IDS might look for the evidence of [[NOP slide]]s which are used to weaken the protection of [[address space layout randomization]].<ref name=":32">{{Cite journal|last1=Chaboya|first1=D. J.|last2=Raines|first2=R. A.|last3=Baldwin|first3=R. O.|last4=Mullins|first4=B. E.|date=2006-11-01|title=Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion|journal=IEEE Security & Privacy|volume=4|issue=6|pages=36–43|doi=10.1109/MSP.2006.159|s2cid=11444752 |issn=1540-7993}}</ref>
To obfuscate their attacks, attackers can use [[Polymorphic code|polymorphic shellcode]] to create unique attack patterns. This technique typically involves encoding the payload in some fashion (e.g., [[XOR]]-ing each byte with 0x95), then placing a decoder in front of the payload before sending it. When the target executes the code, it runs the decoder which rewrites the payload into its original form which the target then executes.<ref name=":12" /><ref name=":32" />
| |||