Title :
Using instruction sequence abstraction for shellcode detection and attribution
Author :
Ziming Zhao ; Gail-Joon Ahn
Author_Institution :
Lab. of Security Eng. for Future Comput. (SEFCOM), Arizona State Univ., Tempe, AZ, USA
Abstract :
Although several research teams have focused on binary code injection, it is still an unsolved problem. Misuse-based detection lacks the flexibility to tackle unseen malicious code samples and anomaly-based detection on byte patterns is highly vulnerable to byte cramming and blending attacks. In addition, it is desperately needed to correlate newly-detected code injection instances with known samples for better understanding the attack events and tactically mitigating future threats. In this paper, we propose a technique for modeling shellcode detection and attribution through a novel feature extraction method, called instruction sequence abstraction, that extracts coarse-grained features from an instruction sequence. Our technique facilitates a Markov-chain-based model for shellcode detection and support vector machines for encoded shellcode attribution. We also describe our experimental results on shellcode samples to demonstrate the effectiveness of our approach.
Keywords :
Markov processes; binary codes; feature extraction; security of data; Markov chain; anomaly-based detection; attack events; binary code injection; blending attacks; byte cramming; byte patterns; code injection instances; feature extraction; instruction sequence abstraction; shellcode attribution; shellcode detection; tactically mitigating future threats; unseen malicious code samples; unsolved problem; vector machines; Binary codes; Engines; Feature extraction; Registers; Security; Support vector machines; Vectors;
Conference_Titel :
Communications and Network Security (CNS), 2013 IEEE Conference on
Conference_Location :
National Harbor, MD
DOI :
10.1109/CNS.2013.6682722
