计算机科学

计算机科学 ›› 2011, Vol. 38 ›› Issue (12): 125-127.

• 计算机网络与信息安全 • 上一篇    下一篇

动静结合的攻击代码检测方法

赵帅,丁保贞,沈备军,林九川   

  1. (上海交通大学软件学院 上海200240);(公安部第三研究所 上海201204)
  • 出版日期:2018-12-01 发布日期:2018-12-01

Method of Shellcode Detection Based on Static and Dynamic Mechanism

  • Online:2018-12-01 Published:2018-12-01

PDF (PC)

385

摘要: 缓冲区溢出攻击是近年来最主要的安全问题之一,攻击者利用缓冲区溢出漏洞执行远程代码,从而达到攻击的目的。Shelleode作为攻击的载体,是缓冲区攻击检测的主要对象。随着检测技术的发展,攻击者更倾向于使用多态技术对Shellcode进行加密来绕过IDS的检测。针对MS Windows操作系统下的Shellcode,提出了一种将静态检测和动态执行相结合的新的攻击代码检测方法。在判断依据上做了新的定义,既使用动态模拟技术提高了对使用多态技术的Shellcode的检侧率,也兼顾了检测的效率。基于该方法,设计和实现了一套原型系统,并进行了检测率、误报率和吞吐率等方面的测试。测试结果表明,该系统在检测Shellcode的准确率和性能方面都达到了令人满意的效果。

关键词: Shellcode,静态分析,动态执行

Abstract: Buffer overflow attack has been a major security problem in recent years,where attackers utilize buffer overflow vulnerabilities to control other computers. As the vehicle of attack, Shellcode is the main target of buffer overflow attack detections. Now attackers tend to employ polymorphic techniques to encode Shellcode, which makes it harder for signature-based NIDS to detect it, This paper proposed a new method to detect the Shellcode executed under MS Windows, which integrates static analysis and dynamic execution techniques. It made some new principles of Shellcode detection, which enhance both the accuracy and performance of polymorphic Shellcode detection.Then a prototype system was implemented and tested. The test results on both the accuracy and performance are quite encouraging.

Key words: Shellcode,Static analysis,Dynamic execution

No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发