Signatureless Breach Detection Under The Microscope presented at 44Con 2013

by Olli-pekka Niemi, Antti Levomäki,

Summary : Signatureless attack detection is becoming the hot topic in threat prevention. Client side security vulnerabilities are often found in zero day exploits in the wild, meaning that signature based intrusion detection and prevention systems are not likely to catch these attacks. Signatureless detection systems are designed to detect these kinds of attacks and they do provide some additional layer of security. One of the techniques deployed by signatureless is called sandboxing. In sandboxing , the signatureless attack detection systems executes files that are being transferred in networks in sandbox. They carefully instrument the execution and based on that determine if the file was malicious. We have analyzed signatureless detection and particularly the sandboxing technique, and we have and found several issues in the concept. We have also found ways to completely evade sandboxing. We have taken some peeks into one of the market leading sandboxing product and will disclose our findings. In this presentation we will discuss the problems we have identified in signatureless attack detection and sandboxing, and disclose our findings regarding one of the market leading product. The attendees will better understands limits of these systems. Even though they will provide additional layer of security, there are issues on should know.