Content deleted Content added
m Aready in Category:Computer security exploits |
|||
Line 14:
Signature-based IDS often look for common attack patterns to match malicious traffic to signatures. To detect [[buffer overflow]] attacks, an IDS might look for the evidence of [[NOP slide]]s which are used to weaken the protection of [[address space layout randomization]].<ref name=":32">{{Cite journal|last=Chaboya|first=D. J.|last2=Raines|first2=R. A.|last3=Baldwin|first3=R. O.|last4=Mullins|first4=B. E.|date=2006-11-01|title=Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion|journal=IEEE Security Privacy|volume=4|issue=6|pages=36–43|doi=10.1109/MSP.2006.159|issn=1540-7993}}</ref>
To obfuscate their attacks, attackers can use [[Polymorphic code|polymorphic shellcode]] to create unique attack patterns. This technique typically involves encoding the payload in some fashion (e.g., [[XOR]]-ing each byte with 0x95), then placing a decoder in front of the payload before sending it. When the target executes the code, it runs the decoder which rewrites the payload into its original form which the target then executes.<ref name=":12" /><ref name=":32" />
Polymorphic attacks don't have a single detectable signature, making them very difficult for signature-based IDS, and even some anomaly-based IDS, to detect.<ref name=":12" /><ref name=":32" /> [[Shikata ga nai]] ("it cannot be helped") is a popular polymorphic encoder in the [[Metasploit Project|Metasploit]] framework used to convert malicious [[shellcode]] into difficult-to-detect polymorphic shellcode using XOR additive feedback.<ref>{{cite web|url=http://www.rapid7.com/db/modules/encoder/x86/shikata_ga_nai|title=Polymorphic XOR Additive Feedback Encoder|work=rapid7.com}}</ref>
| |||