一种超椭球免疫理论启发的shellcode检测算法  被引量：1

作　　者：芦天亮[1,2] 张璐 蔡满春 杜彦辉[1,2] 刘颖卿 LU Tian-liang;ZHANG Lu;CAI Man-chun;DU Yan-hui;LIU Ying-qing(Collaborative Innovation Center of Security and Law for Cyberspace, People＇ s Public Security University of China, Beijing 100038, China;Information Technology and Network Security Institute, People＇ s Public Security University of China, Beijing 100038, China;Research Institute of China Mobile Communications Co. Ltd. ,Beijing 100053 ,China)

机构地区：[1]中国人民公安大学网络空间安全与法治协同创新中心,北京100038 [2]中国人民公安大学信息技术与网络安全学院,北京100038 [3]中国移动通信有限公司研究院,北京100053

出　　处：《小型微型计算机系统》2018年第6期1255-1259,共5页Journal of Chinese Computer Systems

基　　金：2017年国家重点研发计划项目(2017YFB0802804)资助;国家自然科学基金项目(61602489)资助;赛尔网络下一代互联网技术创新项目(NGII20160405)资助

摘　　要：为了解决特征码匹配技术对于未知或多态shellcode检测效率较低的问题,提出一种基于人工免疫系统的shellcode检测算法AIS-SDA.提取shellcode的静态和动态特征,通过反汇编获得汇编指令序列,通过模拟执行获得API函数调用序列,基于n-gram模型编码生成抗原.利用超椭球对免疫检测器编码提高非我空间覆盖率,检测器经历阴性选择算法的免疫耐受后成熟.对成熟检测器克隆和遗传变异,运用超椭球改变朝向、迁移中心和伸缩半轴等手段实现检测器的优化,生成更加优秀的抗体后代.最后,对收集的shellcode样本进行实验验证,结果表明,该方法对非编码和多态shellcode均具有较高的检测准确率.To solve the problem that signature matching technology has low detection rate for unknown or polymorphic shellcode,a shellcode detection algorithm AIS-SDA based on artificial immune system was proposed. Both static and dynamic features of shellcode were extracted. The shellcode was disassembled to assembly instruction sequence,and the API function sequence of shellcode was obtained by simulation execution. These features were encoded to antigens based on n-gram model. To improve non-self space coverage rate,the immune detectors were encoded to hyper-ellipsoids. Immature detectors became mature after immune tolerance based on negative selection algorithm. To generate more excellent antibody offspring,the detectors were optimized through clone and genetic mutate,using center movement,stretch and reorient methods. Finally,shellcode samples were collected and tested,and result shows that the proposed method has higher detection accuracy for both non-encoded shellcode and polymorphic shellcode.

关 键 词：人工免疫 shellcode检测 超椭球 遗传算法 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]