Oddly enough, I just published a paper on >shellcode encoding for evading
network security/monitoring systems that cites >two different projects
that attempt to do this type of thing for >shellcode in real-time in a
sandbox environment, however they both were not >ID/PS systems:
http://www.uninformed.org/?v=9&a=3&t=sumry
I checked your biblio and much of the existing work done in the area of IDS/IPS
evasion using payload customization and attack blending is not mentioned there.
Have you seen the paper from Georgia Tech Information Security Group by
Kolesnikov and Lee on polymorphic blending published in 2004?
1.Kolesnikov, Lee
Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,
http://smartech.gatech.edu/handle/1853/6485
The paper described creating custom attacks/payloads based on knowledge about
the target network so as to evade IDS.
Also, see the following follow-up work from UC Berkeley and CMU:
1. Song, Newsome, et al.
Polygraph: Automatically Generating Signatures
for Polymorphic Worms
http://www.cs.berkeley.edu/~dawnsong/papers/polygraph.pdf
The work suggests ways to address the threat and discussed possible solutions.
2. Fogla, Sharif, et al.
Polymorphic Blending Attacks
http://www.usenix.org/events/sec06/tech/fogla.html
The work formalizes the concept of polymorphic blending attacks.
Roy
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
