A Hybrid Detection Approach for Zero-Day Polymorphic Shellcodes

Author

Chen Ting ; Zhang Xiaosong ; Liu Zhi

Author_Institution

Sch. of Comput. Sci. & Eng., Univ. of Electron. Sci. & Technol. of China (UESTC), Chengdu

fYear

2009

fDate

23-24 May 2009

Firstpage

1

Lastpage

5

Abstract

Zero-day shellcodes has become a major threat to the Internet with complex obfuscation techniques. However, even the state-of-the-art NIDS has small chances of detecting them because they rely on known signatures. This paper presents hybrid detection for zero-day polymorphic shellcodes (HDPS) against shellcodes using various obfuscations. Our approach employs a heuristic approach to detect return address and filter mass innocent network flows, and then constructs a Markov model to detect the existence and location of executable codes in suspicious flows. Finally, it applies an elaborate approach to detect NOP Sleds in the executable codes. Initial experiments show HDPS detects nearly all types of shellcodes, and the false positive rate approximates zero with low overhead.

Keywords

Internet; Markov processes; security of data; telecommunication security; telecommunication traffic; Internet; Markov model; NOP Sleds detection; complex obfuscation technique; heuristic approach; hybrid zero-day polymorphic shellcode detection approach; mass innocent network flow filtering; state-of-the-art NIDS; suspicious flow; Buffer overflow; Computer architecture; Computer science; Genetic mutations; Information filtering; Information filters; Internet; Intrusion detection; Robustness; Statistics;

fLanguage

English

Publisher

ieee

Conference_Titel

E-Business and Information System Security, 2009. EBISS '09. International Conference on

Conference_Location

Wuhan

Print_ISBN

978-1-4244-2909-7

Electronic_ISBN

978-1-4244-2910-3

Type

conf

DOI

10.1109/EBISS.2009.5137874

Filename

5137874