A Hybrid Detection Approach for Zero-Day Polymorphic Shellcodes
作者: Ting Chen , Xiaosong Zhang , Zhi Liu
DOI: 10.1109/EBISS.2009.5137874
关键词:
摘要: Zero-day shellcodes has become a major threat to the Internet with complex obfuscation techniques. However, even state-of-the-art NIDS small chances of detecting them because they rely on known signatures. This paper presents hybrid detection for zero-day polymorphic (HDPS) against using various obfuscations. Our approach employs heuristic detect return address and filter mass innocent network flows, then constructs Markov model existence location executable codes in suspicious flows. Finally, it applies an elaborate NOP Sleds codes. Initial experiments show HDPS detects nearly all types shellcodes, false positive rate approximates zero low overhead.
sci-hub.se 参考文章(7)
Thomas Toth, Christopher Kruegel, Accurate buffer overflow detection via abstract payload execution recent advances in intrusion detection. pp. 274- 291 ,(2002) , 10.1007/3-540-36084-0_15
P. Akritidis, E. P. Markatos, M. Polychronakis, K. Anagnostakis, STRIDE: Polymorphic Sled Detection Through Instruction Sequence Analysis information security conference. pp. 375- 391 ,(2005) , 10.1007/0-387-25660-1_25
Ikkyun Kim, Koohong Kang, YangSeo Choi, Daewon Kim, Jintae Oh, Kijun Han, A practical approach for detecting executable codes in network traffic asia pacific network operations and management symposium. pp. 354- 363 ,(2007) , 10.1007/978-3-540-75476-3_36
Udo Payer, Stefan Kraxberger, Polymorphic Code Detection with GA Optimized Markov Models Communications and Multimedia Security. pp. 210- 219 ,(2005) , 10.1007/11552055_21
S. Jha, K. Tan, R.A. Maxion, Markov chains, classifiers, and intrusion detection ieee computer security foundations symposium. pp. 206- 219 ,(2001) , 10.1109/CSFW.2001.930147
Fu-Hau Hsu, Fanglu Guo, Tzi-cker Chiueh, Scalable network-based buffer overflow attack detection Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems - ANCS '06. pp. 163- 172 ,(2006) , 10.1145/1185347.1185370
Kostas G. Anagnostakis, Michalis Polychronakis, Evangelos P. Markatos, Network-level polymorphic shellcode detection using emulation Lecture Notes in Computer Science. pp. 54- 73 ,(2006)