Title :
A Hybrid Detection Approach for Zero-Day Polymorphic Shellcodes
Author :
Chen Ting ; Zhang Xiaosong ; Liu Zhi
Author_Institution :
Sch. of Comput. Sci. & Eng., Univ. of Electron. Sci. & Technol. of China (UESTC), Chengdu
Abstract :
Zero-day shellcodes has become a major threat to the Internet with complex obfuscation techniques. However, even the state-of-the-art NIDS has small chances of detecting them because they rely on known signatures. This paper presents hybrid detection for zero-day polymorphic shellcodes (HDPS) against shellcodes using various obfuscations. Our approach employs a heuristic approach to detect return address and filter mass innocent network flows, and then constructs a Markov model to detect the existence and location of executable codes in suspicious flows. Finally, it applies an elaborate approach to detect NOP Sleds in the executable codes. Initial experiments show HDPS detects nearly all types of shellcodes, and the false positive rate approximates zero with low overhead.
Keywords :
Internet; Markov processes; security of data; telecommunication security; telecommunication traffic; Internet; Markov model; NOP Sleds detection; complex obfuscation technique; heuristic approach; hybrid zero-day polymorphic shellcode detection approach; mass innocent network flow filtering; state-of-the-art NIDS; suspicious flow; Buffer overflow; Computer architecture; Computer science; Genetic mutations; Information filtering; Information filters; Internet; Intrusion detection; Robustness; Statistics;
Conference_Titel :
E-Business and Information System Security, 2009. EBISS '09. International Conference on
Conference_Location :
Wuhan
Print_ISBN :
978-1-4244-2909-7
Electronic_ISBN :
978-1-4244-2910-3
DOI :
10.1109/EBISS.2009.5137874
