IDS Evasion with Unicode

by Eric Hacker
Sept. 19, 2017 0 comments Symantec Detection & Response

Recently, there has been much discussion of the Unicode problem with regard to intrusion detection. Some pundits, such as Stuart McClure and Joel Scambray, have gone so far as to claim that Unicode will contribute to the demise of Intrusion Detection Systems (IDS). This article will explain what Unicode is, how it complicates IDS and provides opportunities for IDS evasion, and what can be done about it. This discussion will particularly focus on the role of UTF-8, a means by which Unicode code points are encoded, in circumventing IDSs. The Unicode threat to IDSs is real and complicated - I will attempt to separate hype from the truth and provide readers with the knowledge to understand the risk this threat presents to them.