A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

Chinchani, Ramkumar; Berg, Eric van den

doi:10.1007/11663812_15

Cited by 72 publications

(103 citation statements)

References 22 publications

Supporting

Mentioning

103

Contrasting

Order By: Relevance

“…Initial approaches focused on the identification of the sled component that often precedes the shellcode [2,29]. Recent works aim to detect the polymorphic shellcode itself using various approaches, such as the identification of structural similarities among different worm instances [15], control and data flow analysis [8,32], or neural networks [21].…”

Section: Related Workmentioning

confidence: 99%

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Polychronakis

Anagnostakis

Markatos

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Network-level emulation has recently been proposed as a method for the accurate detection of previously unknown polymorphic code injection attacks. In this paper, we extend network-level emulation along two lines. First, we present an improved execution behavior heuristic that enables the detection of a certain class of non-self-contained polymorphic shellcodes that are currently missed by existing emulation-based approaches. Second, we present two generic algorithmic optimizations that improve the runtime performance of the detector. We have implemented a prototype of the proposed technique and evaluated it using off-the-shelf non-self-contained polymorphic shellcode engines and benign data. The detector achieves a modest processing throughput, which however is enough for decent runtime performance on actual deployments, while it has not produced any false positives. Finally, we report attack activity statistics from a seven-month deployment of our prototype in a production network, which demonstrate the effectiveness and practicality of our approach.

show abstract

Section: Related Workmentioning

confidence: 99%

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Polychronakis

Anagnostakis

Markatos

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In [52], Toth and Kruegel proposed identifying exploit code by detecting NOP sleds. However, attacks can bypass this detection technique by either excluding NOP sleds or by using polymorphic techniques [11,16,30]. Chritodorescu and colleagues [12,13] proposed techniques to detect malicious patterns in executables using semantic heuristics.…”

Section: Related Workmentioning

confidence: 99%

“…Lakhotia and Eric in [27] used content analysis techniques to detect obfuscated calls in binaries. Chinchani and van den Berg proposed a rule-based scheme in [11]. Wang et al proposed SigFree [55] that checks if network packets contain malicious codes using "push and call" patterns and the number of useful instructions in the longest possible execution chain.…”

Section: Related Workmentioning

confidence: 99%

JSGuard: Shellcode Detection in JavaScript

Zhang

Bai

et al. 2013

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. JavaScript (JS) based shellcode injections are among the most dangerous attacks to computer systems. Existing approaches have various limitations in detecting such attacks. In this paper, we propose a new detection methodology that overcomes these limitations by fully using JS code execution environment information. We leverage this information and create a virtual execution environment where shellcodes' real behavior can be precisely monitored and detection redundancy can be reduced. Following this methodology, we implement JSGuard, a prototype malicious JS code detection system in Debian Linux with kernel version 2.6.26. Our extensive experiments show that JSGuard reports very few false positives and false negatives with acceptable overhead.

show abstract

“…In the past few years, many detection approaches [1], [3], [4], [6], [9] have been proposed. Basically, these methods can be divided into two categories: static analysis [3], [4] and dynamic analysis [1], [6], [9].…”

Section: Introductionmentioning

confidence: 99%

“…Basically, these methods can be divided into two categories: static analysis [3], [4] and dynamic analysis [1], [6], [9]. The core idea of static analysis is to disassemble the network stream and then analyze the code-level patterns that could be signatures obtained from existing shellcode.…”

Section: Introductionmentioning

confidence: 99%

Efficient Shellcode Detection on Commodity Hardware

Tian

Chen

et al. 2013

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYAs more and more software vulnerabilities are exposed, shellcode has become very popular in recent years. It is widely used by attackers to exploit vulnerabilities and then hijack program's execution. Previous solutions suffer from limitations in that: 1) Some methods based on static analysis may fail to detect the shellcode using obfuscation techniques. 2) Other methods based on dynamic analysis could impose considerable performance overhead. In this paper, we propose Lemo, an efficient shellcode detection system. Our system is compatible with commodity hardware and operating systems, which enables deployment. To improve the performance of our system, we make use of the multi-core technology. The experiments show that our system can detect shellcode efficiently.

show abstract

A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

Cited by 72 publications

References 22 publications

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

JSGuard: Shellcode Detection in JavaScript

Efficient Shellcode Detection on Commodity Hardware

Contact Info

Product

Resources

About