Evolving Buffer Overflow Attacks:
Mimicry attack design recognizes that network
borne attacks have a common set of steps but differ in the instructions
used to reach the steps or obfuscate the exploit. Moreover, the vast majority
of research in this area assumes knowledge of privileged information associated
with the target detector. Such an assumption leads to constraining the
problem of automating the design of such attacks to a very small search space,
thus applicable to exhaustive search. However, this assumption also tends to
limit the approach to open source detectors (no such privileged information
is available for commercial detectors). Instead of making such an assumption
we assume access to the public detector information alone i.e., the anomaly
rate. Evolutionary Computation is then used to search the much larger space
of possible instruction sequences that result in a valid exploit while minimizing
the anomaly rate. The ensuing attacks have anomaly rates within 3% of
those designed under the case of privileged information, demonstrating that a
hacker with no knowledge of the detector could successfully defeat the intrusion
detection system.
- Kayack H.G., Heywood M.I., Zincir-Heywood A.N. (2007) Evolving Buffer
Overflow Attacks with Detector Feedback, 4th European Workshop on
the Application of Nature-inspired Techniques to Telecommunication Networks
and other Connected Systems (EvoCOMNET07). Lecture Notes
in Computer Science, 4448: 11-20, Springer-Verlag, 2007.