D. Gamayunov, Nguyen Thoi Minh Quan, Fedor Sakharov, E. Toroshchin
{"title":"Racewalk:网络流中Shellcode检测的快速指令频率分析与分类","authors":"D. Gamayunov, Nguyen Thoi Minh Quan, Fedor Sakharov, E. Toroshchin","doi":"10.1109/EC2ND.2009.9","DOIUrl":null,"url":null,"abstract":"Memory corruption attacks still play a significant role in present cybercrime activities, being one of the keystones for worm, virus propagation and building botnets. Moreover,recent disclosures of widespread networking equipment vulnerabilities show that the problem is unlikely to fade away in the near future. The subject of this paper is NOP-sled detection — one of the approaches for detecting malicious code in network flow. NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. We propose a significant modification of the Stride algorithm which has linear computational complexity and runs over 10 times faster than original Stride and a novel approach for NOP-sled detection using IA-32 instruction frequency analysis and SVM-based classification, which gives significantly less false positives then existing algorithms. Evaluation with Metasploit Framework, CLET,ecl-poly and ADMmutate shows that various NOP-sleds provided by existing shellcode generators have instructionsfrequency peculiarities, which allow to distinguish betweensleds and normal network data with high accuracy whilereducing the false positives rate and operating close to 1Gbps speed.","PeriodicalId":269435,"journal":{"name":"2009 European Conference on Computer Network Defense","volume":"20 2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-11-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":"{\"title\":\"Racewalk: Fast Instruction Frequency Analysis and Classification for Shellcode Detection in Network Flow\",\"authors\":\"D. Gamayunov, Nguyen Thoi Minh Quan, Fedor Sakharov, E. Toroshchin\",\"doi\":\"10.1109/EC2ND.2009.9\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Memory corruption attacks still play a significant role in present cybercrime activities, being one of the keystones for worm, virus propagation and building botnets. Moreover,recent disclosures of widespread networking equipment vulnerabilities show that the problem is unlikely to fade away in the near future. The subject of this paper is NOP-sled detection — one of the approaches for detecting malicious code in network flow. NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. We propose a significant modification of the Stride algorithm which has linear computational complexity and runs over 10 times faster than original Stride and a novel approach for NOP-sled detection using IA-32 instruction frequency analysis and SVM-based classification, which gives significantly less false positives then existing algorithms. Evaluation with Metasploit Framework, CLET,ecl-poly and ADMmutate shows that various NOP-sleds provided by existing shellcode generators have instructionsfrequency peculiarities, which allow to distinguish betweensleds and normal network data with high accuracy whilereducing the false positives rate and operating close to 1Gbps speed.\",\"PeriodicalId\":269435,\"journal\":{\"name\":\"2009 European Conference on Computer Network Defense\",\"volume\":\"20 2 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2009-11-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"9\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2009 European Conference on Computer Network Defense\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/EC2ND.2009.9\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 European Conference on Computer Network Defense","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/EC2ND.2009.9","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Racewalk: Fast Instruction Frequency Analysis and Classification for Shellcode Detection in Network Flow
Memory corruption attacks still play a significant role in present cybercrime activities, being one of the keystones for worm, virus propagation and building botnets. Moreover,recent disclosures of widespread networking equipment vulnerabilities show that the problem is unlikely to fade away in the near future. The subject of this paper is NOP-sled detection — one of the approaches for detecting malicious code in network flow. NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. We propose a significant modification of the Stride algorithm which has linear computational complexity and runs over 10 times faster than original Stride and a novel approach for NOP-sled detection using IA-32 instruction frequency analysis and SVM-based classification, which gives significantly less false positives then existing algorithms. Evaluation with Metasploit Framework, CLET,ecl-poly and ADMmutate shows that various NOP-sleds provided by existing shellcode generators have instructionsfrequency peculiarities, which allow to distinguish betweensleds and normal network data with high accuracy whilereducing the false positives rate and operating close to 1Gbps speed.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
