Re: A Neural Network to detect polymorphic shellcodes



Hi,

A simpler strategy is to look for distinguishing features of the mutator.
I wrote such a preprocessor to detect mutated NOP sleds for snort a
while back. Search for "spp_fnord.c" in bugtraq archives and you
should find it.


I know the preprocessor. the probleme is its false posetive rate. I have not teted it but I read a lot about it.

I geuss the false posetive rate could be decreased if the fix threshould of the NOP sled to a higher value. I am not sure but I remember thatr I read that linux shellcode have generally a big NOP zone (grater than 100 bytes)...is this true? (I focus on detecting Linux polymorphic worms)

_________________________________________________________________
MSN Messenger: appels gratuits de PC à PC ! http://www.msn.fr/newhotmail/Default.asp?Ath=f


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
------------------------------------------------------------------------