Next: conclusion Up: Protecting Web Services from Previous: Detection of Self-modifying and
To evaluate the detection effectiveness of STILL, we collected 12,000 polymorphic attack messages from 10 publicly available polymorphic engines, all of which encrypt the original shellcode. Among these ten, seven engines are from the Metasploit framework [2], including Countdown, Alpha2, JumpCallAdditive, Pex, PexFnstenvMov, PexFnstenvSub, and ShikataGaNai. The other three engines are CLET , ADMmutate, and JempiScodes . ShikataGaNai, CLET, ADMmutate, and JempiScodes are advanced polymorphic engines, which also obfuscate the decryption routine by metamorphism such as instruction replacement and garbage insertion. CLET also uses spectrum analysis to defeat data mining methods.
We generated 1,000 different attack messages per each of ADMmutate and CLET. For JempiScodes, we generated 3,000 different attack messages, 1,000 per each of its three obfuscation algorithms. We also generated 7,000 different attack messages using the Metasploit Framework, 1,000 per each of the following engines, Alpha2, JumpCallAdditive, Countdown, Pex, PexFnstenvMov, PexFnstenvSub, and ShikataGaNai. We tested the stand-alone prototype of STILL using these 12,000 attack messages. All of these messages are successfully detected.