Evolving Buffer Overflow Attacks:

Mimicry attack design recognizes that network borne attacks have a common set of steps but differ in the instructions used to reach the steps or obfuscate the exploit. Moreover, the vast majority of research in this area assumes knowledge of privileged information associated with the target detector. Such an assumption leads to constraining the problem of automating the design of such attacks to a very small search space, thus applicable to exhaustive search. However, this assumption also tends to limit the approach to open source detectors (no such privileged information is available for commercial detectors). Instead of making such an assumption we assume access to the public detector information alone i.e., the anomaly rate. Evolutionary Computation is then used to search the much larger space of possible instruction sequences that result in a valid exploit while minimizing the anomaly rate. The ensuing attacks have anomaly rates within 3% of those designed under the case of privileged information, demonstrating that a hacker with no knowledge of the detector could successfully defeat the intrusion detection system.