多态shellcode检测方法研究  

Research on detection method of polymorphic shellcode

在线阅读下载全文

作  者:曹文鹏 苏旸 

机构地区:[1]武警工程大学研究生管理大队,西安710086 [2]武警工程大学电子技术系,西安710086

出  处:《计算机应用研究》2015年第9期2816-2819,共4页Application Research of Computers

摘  要:在以往的多态shellcode检测方法中,基于模拟的动态检测方法主要针对多态shellcode的解码器部分进行检测。尽管这样的检测方法可以在一定程度上检测出目标,但其性能和抗攻击性较差。为了进一步提高检测准确率并降低误报率,在已有的基于模拟的动态检测方法基础上进行了改进,引入了shellcode行为模式匹配机制,按照条件将多态shellcode解码后的行为与常见的攻击行为模式进行匹配,以判断并定位有效负载的位置。最后借助于Libemu系统对上述方法进行了实现和测试,从Metasploit和Nepenthes中提取shellcode样本,并使用编码器生成多态样本,从检测率和误报率两方面对方法进行了检验,实验证明了该方法有更高的有效性与稳定性。Being part of conventional methods of detecting polymorphic shellcode, dynamic detection methods based on simu- lation mainly concentrated on the decoder of the polymorphic shellcodes. Although these detection methods could detect the targets to some extent, but its properties and resistance to attack were poor. To further improve the accuracy of the detection, this paper developed a method based on dynamic testing on the basis of the existing emulation-based methods and introduced the shellcode behavior pattern matching mechanism. In the mechanism, it conducted matches between the behaviors of deco- ded polymorphic shellcodes and existed patterns in accordance with the given conditions to determine and locate the payloads' locations. By means of the Libemu emulator system, it performed implementation and testing with samples extracted from Meta- sploit and Nepenthes, and used eneoders to generates polymorphic samples. Finally it tested the detection rate and positive false rate. The result proves that the method has a higher effectiveness and stability.

关 键 词:多态shellcode 动态模拟 行为模式匹配 

分 类 号:TP393.08[自动化与计算机技术—计算机应用技术]

 

参考文献:

正在载入数据...

 

二级参考文献:

正在载入数据...

 

耦合文献:

正在载入数据...

 

引证文献:

正在载入数据...

 

二级引证文献:

正在载入数据...

 

同被引文献:

正在载入数据...

 

相关期刊文献:

正在载入数据...

相关的主题
相关的作者对象
相关的机构对象