Re: Efficiently detecting obfuscated shell code

[Joseph S D Yao <jsdy () center osis gov>]

On Wed, Feb 04, 2004 at 11:39:16AM -0500, Don Parker wrote:
> Hey guys/gals, I have been sending this question around some of the lists, and have had 
> little real discussion on it. Question being; is it possible to reliably detect an 
> obfuscated egg? Many of the ids signatures I have seen are a little loose, and always go 
> for the nop sled with some port matching. 
...

Hi, Don.

Question being: define "reliably".  ;-)

If you mean 100%, then IIRC certain famous mathematicians who were
actually true "computer scientists" proved that it was not possible to
always determine the output of a program, which is equivalent to
determining whether a sequence of bytes is in fact intended to be a
program with some kind of specific goal in mind.

If you mean "pretty reliably", e.g., >> 99%, then it's a matter of
throwing heuristics with very low false negatives at the problem faster
than the bad guys can beat them.  Because [see above] they will always
be able to.

-- 
Joe Yao                         jsdy () center osis gov - Joseph S. D. Yao
OSIS Center Systems Support                                     EMT-B
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards