LanJia Wang,HaiXin Duan,Xing Li

DOI: https://doi.org/10.1007/s11432-008-0150-x

2008-01-01

Science in China Series F Information Sciences

Abstract:It is a promising way to detect polymorphic shellcode using emulation method. However, previous emulation-based approaches are limited in their performance and resilience against evasions. A new enhanced emulation-based detection approach is proposed, including an automaton-based model of the dynamic behavior of polymorphic shellcode and a detection algorithm, the detection criterion of which is derived from that model and ensures high detection accuracy. The algorithm also contains several optimization techniques, highly improving the running performance and the resilience against detection evasion shellcode. We have implemented a prototype system for our approach. The advantages of our algorithm are validated by the experiments with real network data, polymorphic shellcode samples generated by available polymorphic engines and hand-crafted detection evasion shellcode.

ZHAO Shuai,DING Bao-zhen,SHEN Bei-jun,LIN Jiu-chuan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.028

2011-01-01

Computer Science

Abstract:Buffer overflow attack has been a major security problem in recent years,where attackers utilize buffer overflow vulnerabilities to control other computers.As the vehicle of attack,Shellcode is the main target of buffer overflow attack detections.Now attackers tend to employ polymorphic techniques to encode Shellcode,which makes it harder for signature-based NIDS to detect it.This paper proposed a new method to detect the Shellcode executed under MS Windows,which integrates static analysis and dynamic execution techniques.It made some new principles of Shellcode detection,which enhance both the accuracy and performance of polymorphic Shellcode detection.Then a prototype system was implemented and tested.The test results on both the accuracy and performance are quite encouraging.

Yonggan Hou,J. W. Zhuge,Dan Xin,Wenya Feng

DOI: https://doi.org/10.1007/978-3-319-06320-1_13

2014-01-01

Abstract:An important method of detecting zero-day attacks is to identify the shellcode which is usually taken as part of the attacks. However, the detection range is always restricted, for existent emulation based detection techniques only take several features that are observed when shellcode is emulated. In this paper, we propose a new shellcode detection algorithm based on emulation and Support Vector Machine(SVM). One of the most prominent advantages is that by means of emulating, we can get the real executed path which includes key features to identify shellcode e.g. loop, xor, GetPC etc. Moreover, by recording aforementioned features and training them with SVM, we can rely on general features to detect shellcode rather than on specific features. In addition, we build a complete shellcode data set so that other researchers can focus on detection algorithms. We have implemented a prototype system named SBE on Ubuntu/Amd-64 and tested our algorithm with various kinds of shellcode. Experiment shows that the proposed algorithm has a better detection rate than Libemu and could effectively detect all x86 shellcode with very few false positives.

Chen Yue,Xue Zhi,Wang Yijun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.01.065

2007-01-01

Abstract: At present, buffer overflow still stands as one of the most prevalent and efficient way to attack network system. It usually results from manually attack by hackers and self-propagation attack by worms or viruses. With the development of NIDS, it is feasible to detect buffer overflow attack by simple Shellcode pattern-matching. However, the appearance of Shellcode polymorphism enables Shellcode to evade the detection of NIDS. This paper demonstrates a variety of detailed shellcode polymorphic technology against traditional IDS discerning method and presents new tech- nology and orientation to detect the polymorphic shellcode.

Pan Xiaohui,Zhang Xiaosong,Chen Ting

DOI: https://doi.org/10.1109/ebiss.2009.5137885

2009-01-01

Abstract:Since worms have become a major threat of cybersecurity, several detection approaches have been proposed to detect them. However, attackers have exploited state-of-the-art techniques to evade these detection systems, such as polymorphism and metamorphism, making existing systems ineffective. In this paper, we propose a hybrid method for the detection of polymorphic worms. It uses improved Reverse Sequential Hypothesis Testing (RSHT) to detect portscans which are routinely used to find vulnerable hosts to compromise. Then a CPU emulator is used to execute every possible instruction sequence in suspicious traffic and determine whether it is an exploit code. We implemented a prototype and tested it using real polymorphic worms. Initial experimental results show that our approach is effective with high accuracy.

Chen Ting,Zhang Xiaosong,Liu Zhi

DOI: https://doi.org/10.1109/EBISS.2009.5137874

2009-01-01

Abstract:Zero-day shellcodes has become a major threat to the Internet with complex obfuscation techniques. However, even the state-of-the-art NIDS has small chances of detecting them because they rely on known signatures. This paper presents Hybrid Detection for zero-day Polymorphic Shellcodes (HDPS) against shellcodes using various obfuscations. Our approach employs a heuristic approach to detect return address and filter mass innocent network flows, and then constructs a Markov Model to detect the existence and location of executable codes in suspicious flows. Finally, it applies an elaborate approach to detect NOP Sleds in the executable codes. Initial experiments show HDPS detects nearly all types of shellcodes, and the false positive rate approximates zero with low overhead.

Ruoxu Zhao,Dawu Gu,Juanru Li,Hui Liu

DOI: https://doi.org/10.1007/978-3-642-34129-8_22

2012-01-01

Abstract:Malware often encrypts its malicious code and sensitive data to avoid static pattern detection, thus detecting encryption functions and extracting the encryption keys in a malware can be very useful in security analysis. However, it's a complicated process to automatically detect encryption functions among huge amount of binary code, and the main challenge is to keep high efficiency and accuracy at the same time. In this paper we propose an enhanced detection approach. First we designed a novel process level emulation technique to efficiently analyze binary code, which is less resource-consuming compared with full system emulation. Further, we conduct program partitioning and assembly-to-IL(intermediate language) translation on binary code to simplify the analysis. We applied our approach to sample programs using cryptographic libraries and custom implemented version of typical encryption algorithms, and showed that these routines can be detected efficiently. It is convenient for analysts to use our approach to deal with the encrypted data within malware automatically. Our approach also provides an extensible interface for analysts to add extra templates to detect other forms of functions besides encryption routines.

Meng Li,Xiaoqi Jia,Rui Wang,Dongdai Lin

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.08.063

2015-01-01

Abstract:In malicious code analysis and detection, the static analysis techniques are not effective to detect metamorphic/polymorphic ma-licious codes.Aiming at this problem, this paper proposes an approach for extracting the dynamic features of malicious code semantics.The method extracts the dynamic features of malicious codes in virtual environment so as to achieve the purpose of protecting physical machine. The primitive features extracted are then further sifted and processed to obtain API calling sequence information in regard to various code sam-ples.In order to make the features more effective, the traditional n-gram model is improved and the n-gram frequency information and the de-pendencies between APIs are added, the improved n-gram model is built as well.The analysis part in experimental result uses the machine learning methods, the decision trees, k-nearest neighbour, support vector machine and Bayesian networks are employed separately to perform a 10-fold crossover validation on the selected sample features.Experimental results show that this feature selection has best detection effect using decision tree J48, it can effectively detect the malicious codes using confusion and polymorphism technologies.

Xin-yu ZHU,Qian-feng CHU,Gong-shen LIU

DOI: https://doi.org/10.3969/j.issn.1002-0802.2017.08.031

2017-01-01

Abstract:In recent years, the packing technology develop rapidly, and this gives malicious code a new way to escape the detection. The continuous development of packing technology brings a great challenge to the detection of malicious code. How to achieve malicious code shelling and restore the original content of the program now becomes one of the important areas of computer security research. Based on analysis of the shelling principle, and from two aspects of static and dynamic, the current malicious code shelling technology is summarized, and the principles, features and limits of various detecting methods also expounded. Meanwhile, different kinds of shelling tools are sorted out and described. Finally, the development trend of shelling technology is forecasted.

Nitin Kanaskar,Remzi Seker,Jiang Bian,Vir V. Phoha

DOI: https://doi.org/10.1109/TSMCC.2012.2208187

2012-01-01

Abstract:Code injection is a common approach which is utilized to exploit applications. We introduce some of the well-established techniques and formalisms of dynamical system theory into analysis of program behavior via system calls to detect code injections into an applications execution space. We accept a program as a blackbox dynamical system whose internals are not known, but whose output we can observe. The blackbox system observable in our model is the system calls the program makes. The collected system calls are treated as signals which are used to reconstruct the system’s phase space. Then, by using the well-established techniques from dynamical system theory, we quantify the amount of complexity of the system’s (program’s) behavior. The change in the behavior of a compromised system is detected as anomalous behavior compared with the baseline established from a clean program. We test the proposed approach against DARPA-98 dataset and a real-world exploit and present code injection experiments to show the applicability of our approach.

Fei Chen,Yan Fu

DOI: https://doi.org/10.1109/DBTA.2009.127

2009-01-01

Abstract:In this paper, we propose a new approach for the dynamic detection of malicious executables on the platform of Windows. Our approach extracts signatures of malicious executable's behaviors by using API (Application Program Interface) interception technique which makes possible the detection of unknown malicious executables. The dynamic detection of unknown malicious executables is achieved in three major steps: getting the sequence of API function calls of the executable, processing the API sequence to generate a vector, calculating the similarity between the vector and the feature library constructed by security policies to verify if the executable is malicious. The experiment confirms that this approach is effective in detection of unknown malicious executables.

Wei Li,Chenyi Zhang,Jieying Zhou,Dan Wang,Nuannuan Li

DOI: https://doi.org/10.1088/1742-6596/2010/1/012165

2021-09-01

Journal of Physics: Conference Series

Abstract:Abstract In recent years, malicious code emerges in endlessly. New types of malicious code evade the traditional malicious code detection technology through polymorphism, shelling, confusion and other ways. In order to solve the challenges brought by various technologies to the research of malicious code detection, in this paper, we propose a malicious code detection method based on static features and ensemble learning. This method extracts the information in the PE header file of malicious code samples as static features, and on this basis, builds a malicious code detection model by using stacking ensemble learning. In order to verify the effectiveness of the model, experiments are carried out on a dataset containing 5000 malicious codes and 4943 benign codes. Experiments show that the classification model based on stacking ensemble learning is the best, with 97.22% precision rate and 96.45% stable F1 score.

GUAN Yun-tao,DUAN Hai-xin

2009-01-01

Abstract:With the application of polymorphism,metamorphism and packing techniques,the analysis and detection of modern malware becomes more difficult.Manual malware analysis fails to handle this situation due to its unacceptable cost and human force involvement.The author design and implement an automated malware dynamic analysis system named MwDAS using kernel hooking and filter driver technologies,which can automatically analyze malware sample,extract and detail malware's behaviors into a well-organized report.The experiment shows that MwDAS can dramatically improve the analysis efficiency.

潘剑锋,刘守群,奚宏生,谭小彬

2010-01-01

Abstract:The present study proposes a method for hidden malcode detection based on the analysis of dynamic control-flow. First we recorded the malcode-related control-flow paths of program, and then the control-flow paths were analyzed, by calling tree match algorithm, to detect the hidden malcode in the system. The experiments show that this method can detect hidden malcode efficiently at a high detection rate and with low false positive, and thus it can be applied to malcode detection on operating systems.

李佳静,梁知音,韦韬,邹维,毛剑

DOI: https://doi.org/10.3724/sp.j.1001.2010.03507

2010-01-01

Abstract:In this paper, a novel method is presented to solve these problems.This method processes the X86 executable programs statically, so it has a higher code coverage than dynamic methods.Besides, it employs a data flow analysis method to identify the jump targets for indirect jumps.It also utilizes optimized tainting mark rules based on the operation semantic of branch conditions.Experiments on 103 real malwares and 7 benign softwares show that the proposed method has the following advantages: For Trojan-spy program detection, it can reduce the false negatives caused by the explicit-flow-sensitive method, and it is effective in dealing with information steal behaviors triggered by some particular conditions.For benign program analysis, it can reduce most of the tainted branches that should be tracked in the original implicit-flow-sensitive method without optimization.

DENG Chao-guo,GU Da-wu,LI Juan-ru,SUN Ming

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.04.066

2011-01-01

Abstract:This paper proposed an approach of binary analysis based on full-system emulation and instruction-flow analysis technology.This approach ran executable binary code on a virtual machine which used full-system emulation technology,and then captured and analyzed runtime instruction-flow information to figure out this program's feature.This paper covered design and implement of such a binary code analysis system.Experiment result illustrates that it is more efficient and general to capture,extract and analyze runtime instruction-flow information by using this system.This approach is particularly effective to analyze binary code which uses anti-analysis technology.

LIU Heng,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.005

2011-01-01

Abstract:Static analysis and dynamic analysis are the two common analysis methods in malware analysis. With the anti-debugging, program packers, code obfuscation, polymorphism and variants such technologies coming out, the limitations of static analysis methods become more and more. Here is a tool to dynamic analysis Malware Code based on kernel callback and Regular Expressions, demonstrate it’s capabilities by analyzing the Fujacks .As a result ,improved the efficiency of the tool in the automating analysis.

Gwangyeol Lee,Minho Kim,Jeong Hyun Yi,Haehyun Cho

DOI: https://doi.org/10.3390/electronics13112081

IF: 2.9

2024-05-28

Electronics

Abstract:Original Entry Point (OEP) and API obfuscation techniques greatly hinder the analysis of malware. Contemporary packers, employing these sophisticated obfuscation strategies, continue to pose unresolved challenges, despite extensive research efforts. Recent studies, like API-Xray, have mainly concentrated on rebuilding obfuscated import tables in malware, but research into OEP obfuscation is still limited. As a solution, we present Pinicorn, an automated dynamic de-obfuscation system designed to tackle these complexities. Pinicorn bypasses packers' anti-analysis techniques and retrieves the original program from memory. It is specifically designed to detect and analyze trampoline codes within both OEP and the import table. Our evaluation shows that Pinicorn successfully deobfuscates programs hidden by three different packers, confirming its effectiveness through a comparative analysis with their original versions. Furthermore, we conducted experiments on malware obfuscated by Themida and VMProtect, analyzing the obfuscation techniques and successfully de-obfuscating them to validate the effectiveness of our approach.

engineering, electrical & electronic,physics, applied,computer science, information systems

Min-Hao Wu,Fu-Hau Hsu,Jian-Hung Huang,Keyuan Wang,Yan-Ling Hwang,Hao-Jyun Wang,Jian-Xin Chen,Teng-Chuan Hsiao,Hao-Tsung Yang

DOI: https://doi.org/10.3390/electronics13173569

IF: 2.9

2024-09-09

Electronics

Abstract:In the late 20th century, computer viruses emerged as powerful malware that resides permanently in target hosts. For a virus to function, it must load into memory from persistent storage, such as a file on a hard drive. Due to the significant destructive potential of viruses, numerous defense measures have been developed to protect computer systems. Among these, antivirus software is one of the most recognized and widely used. Typically, antivirus solutions rely on static analysis (signature-based) technologies to detect infections in files stored on permanent storage devices, such as hard drives or USB (Universal Serial Bus) flash drives. However, a new breed of malware, fileless malware, has been designed to evade detection and enhance durability. Fileless malware resides solely in the memory of the target hosts, circumventing traditional antivirus software, which cannot access or analyze processes executed directly from memory. This study proposes the Check-on-Execution (CoE) kernel-based approach to detect fileless malware on Linux systems. CoE intervenes by suspending code execution before a program executes code from a process's writable and executable memory area. To prevent the execution of fileless malware, CoE extracts the code from memory, packages it with an ELF (Executable and Linkable Format) header to create an ELF file, and uses VirusTotal for analysis. Experimental results demonstrate that CoE significantly enhances a Linux system's ability to defend against fileless malware. Additionally, CoE effectively protects against shell code injection attacks, including buffer and memory overflows, and can handle packed malware. However, it is important to note that this study focuses exclusively on fileless malware, and further research is needed to address other types of malware.

engineering, electrical & electronic,computer science, information systems,physics, applied

zhiyin liang,tao wei,yu zong chen,xinhui han,jianwei zhuge,wanhong zou

2007-01-01

Abstract:In recent years with the popularity of source code sharing, the number of types of malware increases sharply; furthermore, malwares are also getting more and more sophisticated. These developments together propose a tremendous challenge to traditional ways of analyzing malware. One way to handle such challenge is to develop tools to automate the analyzing task, and in this paper we describe one such method for static analysis of malware. Inspired by the observation that a malicious executable usually consists of several components, each performing certain tasks, and that these components are often reused by others, our method employs techniques from reverse engineering and data clustering to component decomposing of an executable. For each component obtained, we then match it against a library of known malware components to identify it. For malicious programs, we further utilize the match result to classify them. We have built a prototype system called CompSim, and have applied it to analyze bot-like malicious executables. Initial results show that our approach has outperformed classical signature-based detection method in terms of false negative rate. Furthermore, comparing to dynamic analysis methods and model checking methods, our static method has the advantage of larger analytical coverage.