基于攻击特征签名的自动生成

签名可以基于攻击特征的相关信息生成。在栈上针对控制流攻击中对函数调用返回值和函数调用指针的攻击以及非控制流中对与判断相关联的数据的攻击,结合动态分析技术生成二进制签名。首先,识别出漏洞相关指令;然后,用虚拟机监控运行上述指令;最后,修改虚拟机以在监控到恶意写行为时报警并生成签名。同时生成的补丁文件记录恶意写指令以便后继执行时跳过。签名可迅速分发给其他主机,在轻量级虚拟机上监测程序运行。实验表明,二进制签名具有准确、精简的优点,可以防御多态攻击,同时具有较低漏报率,结合使用轻量级虚拟机可使签名生成和后继检测都快速高效。

Automatic Generation of Attach-based Signature

Signatures can be generated based on characteristics of attacks. Using dynamic program analyzing skills we generated binary signatures for control flow attack to return value of function call and function call pointer, and noncontrol flow attack to decision-related variable. First, we identified instructions related to the vulnerability. Second, we monitored these instructions using a modified virtual machine. At last, we alerted and generated signature after finding any malicious write behaviors. Patch recorded malicious write instructions could be generated meanwhile to ignore these instructions in future execution. Generated signature could be sent to other computers to monitor the same software's execution using lightweight virtual machine. Experiment results show that binary level signature has simplified form and precise functionality and low false negative and is effective to defense polymorphic attack. Besides, lightweight virtual machine makes use of the signature fast.