Architecture for generic detection of machine code injection in computer networks
Autor(a) principal: | |
---|---|
Data de Publicação: | 2012 |
Tipo de documento: | Dissertação |
Idioma: | eng |
Título da fonte: | Biblioteca Digital de Teses e Dissertações do ITA |
Texto Completo: | http://www.bd.bibl.ita.br/tde_busca/arquivo.php?codArquivo=2116 |
Resumo: | Since the creation of public exploitation frameworks, advanced payloads are used in computer attacks. The attacks generally employ evasion techniques, have anti-forensics capabilities, and use target machines as pivots to reach other machines in the network. The attacks also use polymorphic malicious code that automatically transforms themselves in semantically equivalent variants, which makes them difficult to be detected. The current approaches that try to detect the attacks, fail because they either generate high number of false positives or require high performance capability to work properly. This thesis proposes an architecture for advanced payload detection structured in layers that employ a variant of techniques. The first layers use less computing intensive techniques while the last layers make use of smarter inspection techniques. Fine-grained checks are possible due to the layered approach. For instance, the first layer employs pattern matching while the last layer uses smart network traffic disassembly. In order to improve performance in the detection of forthcoming attacks, the proposed architecture allows the updates of checking rules for more frequently detected attacks. The proposed architecture addresses the high rate false-positives problem using a confidence level updated accordingly to the threat level observed by each layer. We implemented the architecture using real-life workloads and conventional hardware platforms with acceptable throughput. We also contribute with the creation of the well-known Return Address layer optimizing the instruction emulation. |
id |
ITA_70c91bfdd04f98edafa2624b64d6c4c5 |
---|---|
oai_identifier_str |
oai:agregador.ibict.br.BDTD_ITA:oai:ita.br:2116 |
network_acronym_str |
ITA |
network_name_str |
Biblioteca Digital de Teses e Dissertações do ITA |
spelling |
Architecture for generic detection of machine code injection in computer networksSegurança da informação de computadoresDetecção de intrusão (computadores)Arquitetura de softwareControle de acessoRedes de comunicaçãoTelecomunicaçõesComputaçãoSince the creation of public exploitation frameworks, advanced payloads are used in computer attacks. The attacks generally employ evasion techniques, have anti-forensics capabilities, and use target machines as pivots to reach other machines in the network. The attacks also use polymorphic malicious code that automatically transforms themselves in semantically equivalent variants, which makes them difficult to be detected. The current approaches that try to detect the attacks, fail because they either generate high number of false positives or require high performance capability to work properly. This thesis proposes an architecture for advanced payload detection structured in layers that employ a variant of techniques. The first layers use less computing intensive techniques while the last layers make use of smarter inspection techniques. Fine-grained checks are possible due to the layered approach. For instance, the first layer employs pattern matching while the last layer uses smart network traffic disassembly. In order to improve performance in the detection of forthcoming attacks, the proposed architecture allows the updates of checking rules for more frequently detected attacks. The proposed architecture addresses the high rate false-positives problem using a confidence level updated accordingly to the threat level observed by each layer. We implemented the architecture using real-life workloads and conventional hardware platforms with acceptable throughput. We also contribute with the creation of the well-known Return Address layer optimizing the instruction emulation.Instituto Tecnológico de AeronáuticaCelso Massaki HirataRodrigo Rubira Branco2012-06-03info:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/masterThesishttp://www.bd.bibl.ita.br/tde_busca/arquivo.php?codArquivo=2116reponame:Biblioteca Digital de Teses e Dissertações do ITAinstname:Instituto Tecnológico de Aeronáuticainstacron:ITAenginfo:eu-repo/semantics/openAccessapplication/pdf2019-02-02T14:04:16Zoai:agregador.ibict.br.BDTD_ITA:oai:ita.br:2116http://oai.bdtd.ibict.br/requestopendoar:null2020-05-28 19:38:17.706Biblioteca Digital de Teses e Dissertações do ITA - Instituto Tecnológico de Aeronáuticatrue |
dc.title.none.fl_str_mv |
Architecture for generic detection of machine code injection in computer networks |
title |
Architecture for generic detection of machine code injection in computer networks |
spellingShingle |
Architecture for generic detection of machine code injection in computer networks Rodrigo Rubira Branco Segurança da informação de computadores Detecção de intrusão (computadores) Arquitetura de software Controle de acesso Redes de comunicação Telecomunicações Computação |
title_short |
Architecture for generic detection of machine code injection in computer networks |
title_full |
Architecture for generic detection of machine code injection in computer networks |
title_fullStr |
Architecture for generic detection of machine code injection in computer networks |
title_full_unstemmed |
Architecture for generic detection of machine code injection in computer networks |
title_sort |
Architecture for generic detection of machine code injection in computer networks |
author |
Rodrigo Rubira Branco |
author_facet |
Rodrigo Rubira Branco |
author_role |
author |
dc.contributor.none.fl_str_mv |
Celso Massaki Hirata |
dc.contributor.author.fl_str_mv |
Rodrigo Rubira Branco |
dc.subject.por.fl_str_mv |
Segurança da informação de computadores Detecção de intrusão (computadores) Arquitetura de software Controle de acesso Redes de comunicação Telecomunicações Computação |
topic |
Segurança da informação de computadores Detecção de intrusão (computadores) Arquitetura de software Controle de acesso Redes de comunicação Telecomunicações Computação |
dc.description.none.fl_txt_mv |
Since the creation of public exploitation frameworks, advanced payloads are used in computer attacks. The attacks generally employ evasion techniques, have anti-forensics capabilities, and use target machines as pivots to reach other machines in the network. The attacks also use polymorphic malicious code that automatically transforms themselves in semantically equivalent variants, which makes them difficult to be detected. The current approaches that try to detect the attacks, fail because they either generate high number of false positives or require high performance capability to work properly. This thesis proposes an architecture for advanced payload detection structured in layers that employ a variant of techniques. The first layers use less computing intensive techniques while the last layers make use of smarter inspection techniques. Fine-grained checks are possible due to the layered approach. For instance, the first layer employs pattern matching while the last layer uses smart network traffic disassembly. In order to improve performance in the detection of forthcoming attacks, the proposed architecture allows the updates of checking rules for more frequently detected attacks. The proposed architecture addresses the high rate false-positives problem using a confidence level updated accordingly to the threat level observed by each layer. We implemented the architecture using real-life workloads and conventional hardware platforms with acceptable throughput. We also contribute with the creation of the well-known Return Address layer optimizing the instruction emulation. |
description |
Since the creation of public exploitation frameworks, advanced payloads are used in computer attacks. The attacks generally employ evasion techniques, have anti-forensics capabilities, and use target machines as pivots to reach other machines in the network. The attacks also use polymorphic malicious code that automatically transforms themselves in semantically equivalent variants, which makes them difficult to be detected. The current approaches that try to detect the attacks, fail because they either generate high number of false positives or require high performance capability to work properly. This thesis proposes an architecture for advanced payload detection structured in layers that employ a variant of techniques. The first layers use less computing intensive techniques while the last layers make use of smarter inspection techniques. Fine-grained checks are possible due to the layered approach. For instance, the first layer employs pattern matching while the last layer uses smart network traffic disassembly. In order to improve performance in the detection of forthcoming attacks, the proposed architecture allows the updates of checking rules for more frequently detected attacks. The proposed architecture addresses the high rate false-positives problem using a confidence level updated accordingly to the threat level observed by each layer. We implemented the architecture using real-life workloads and conventional hardware platforms with acceptable throughput. We also contribute with the creation of the well-known Return Address layer optimizing the instruction emulation. |
publishDate |
2012 |
dc.date.none.fl_str_mv |
2012-06-03 |
dc.type.driver.fl_str_mv |
info:eu-repo/semantics/publishedVersion info:eu-repo/semantics/masterThesis |
status_str |
publishedVersion |
format |
masterThesis |
dc.identifier.uri.fl_str_mv |
http://www.bd.bibl.ita.br/tde_busca/arquivo.php?codArquivo=2116 |
url |
http://www.bd.bibl.ita.br/tde_busca/arquivo.php?codArquivo=2116 |
dc.language.iso.fl_str_mv |
eng |
language |
eng |
dc.rights.driver.fl_str_mv |
info:eu-repo/semantics/openAccess |
eu_rights_str_mv |
openAccess |
dc.format.none.fl_str_mv |
application/pdf |
dc.publisher.none.fl_str_mv |
Instituto Tecnológico de Aeronáutica |
publisher.none.fl_str_mv |
Instituto Tecnológico de Aeronáutica |
dc.source.none.fl_str_mv |
reponame:Biblioteca Digital de Teses e Dissertações do ITA instname:Instituto Tecnológico de Aeronáutica instacron:ITA |
reponame_str |
Biblioteca Digital de Teses e Dissertações do ITA |
collection |
Biblioteca Digital de Teses e Dissertações do ITA |
instname_str |
Instituto Tecnológico de Aeronáutica |
instacron_str |
ITA |
institution |
ITA |
repository.name.fl_str_mv |
Biblioteca Digital de Teses e Dissertações do ITA - Instituto Tecnológico de Aeronáutica |
repository.mail.fl_str_mv |
|
subject_por_txtF_mv |
Segurança da informação de computadores Detecção de intrusão (computadores) Arquitetura de software Controle de acesso Redes de comunicação Telecomunicações Computação |
_version_ |
1706809279842877440 |