典型Shellcode引擎特征检测方法研究

通用的shellcode引擎大都采用特定运算对shellcode进行编码,使得shellcode具有规避传统的代码特征检测系统的能力。为了检测具有规避传统检测能力的shellcode,深入分析目前典型shellcode引擎的工作原理,在此基础上研究引擎产生shellcode的代码特征和行为特征,进而提出了基于这两类特征的针对性综合检测方法。实验结果表明,这种综合检测方法可以针对性地、有效地检测并阻止这类shellcode的执行,同时对其它shellcode也能实现一定程度上的检测,而且虚警和漏警率为0。该检测系统对恶意代码的检测具有一定的应用价值。     

基于人工免疫理论的Shellcode检测方法

Shellcode是缓冲区溢出漏洞攻击的核心代码部分,往往嵌入到文件和网络流量载体中。针对特征码匹配等检测手段存在时间滞后、准确率低等问题,结合人工免疫理论,提出一种采用实值编码的shellcode检测方法。收集shellcode样本并进行反汇编,利用n-gram模型对汇编指令序列提取特征生成抗原,作为免疫系统未成熟检测器来源,之后经历阴性选择算法的免疫耐受过程,生成成熟检测器。对检测器进行克隆和变异,繁衍出更加优良的后代,提高检测器的多样性和亲和度。实验结果表明,该方法对非编码shellcode和多态shellcode均具有较高的检测准确率。     

一种shellcode动态检测与分析技术

提出一种基于动态二进制平台DynamoRIO的shellcode模型识别与功能分析方法,并实现了基于该方法的原型系统.首先总结了shellcode利用技术,分析了shellcode动态执行特征,利用自动机理论,对shellcode各执行阶段进行了形式化的描述,并给出了各阶段相应的自动机模型及检测分析算法,据此归纳得到shellcode的一般执行模式;其次,提出了一种shellcode的API调用序列分析方法,根据API类型和参数,实现了对shellcode的功能分析.实验结果表明,该方法能够有效检测shell-code,识别执行模式,判定shellcode执行功能.该检测方法对高效检测shellcode、快速判明网络攻击意图和提高对网络攻击事件的响应能力具有重要的应用价值.     

shellcode攻击与防范技术

针对Windows系统环境下,攻击者通过shellcode代码威胁系统安全的问题,研究shellcode攻击与防范方法。分析shellcode代码的工作原理、攻击过程及多种变化,介绍新型Windows系统采用的GS和ASLR保护对shellcode攻击的防范机制,并通过实验验证其防范效果。结果证明,实施shellcode攻击需要一定的条件,而GS和ALSR可破坏这些攻击条件的形成,有效阻止攻击。     

基于shellcode检测的缓冲区溢出攻击防御技术研究

缓冲区溢出攻击对计算机和网络安全构成极大威胁。从缓冲区溢出攻击原理和shellcode实现方式出发，提出针对shellcode的溢出攻击防御技术。描述shellcode获取控制权前后，从代码特点、跳转方式及shellcode恶意功能实现过程等方面入手，检测并阻止shellcode以对抗溢出攻击的几种技术。最后对这些技术的优缺点进行比较分析，指出其中较为优秀的方法，并就更全面提高系统安全性提出了一些建议。     

基于混合表征和协同训练的软件漏洞检测

对于漏洞领域基准数据集较少导致的深度学习模型泛化能力较差,以及传统的基于规则引擎的漏洞检测工具性能较低的问题,提出了一种基于混合表征和协同训练的软件源代码漏洞检测方法。首先,基于预训练模型提取源代码文本特征,提取代码语义信息,然后使用工具生成抽象语法树,通过自定义遍历规则提取源代码的AST(抽象语法树)特征,将两种特征进行混合丰富代码表征。其次,搭建多个深度模型,基于协同训练算法通过大量的无标签数据提升各模型的泛化能力。鉴于单一模型可能造成较高的漏报率和误报率,并可能被某一模型主导预测结果的问题,采用了基于加权投票机制的多模型集成方法。实验结果表明,该方法在一定程度上解决了数据集较少导致的模型泛化性差的问题,与漏洞检测领域一些主流检测方法相比,该方法在各指标上具有一定的优势,且检测性能高于规则引擎Fortify。     

一种基于特征矩阵的软件脆弱性代码克隆检测方法

提出了一种基于特征矩阵的软件代码克隆检测方法.在此基础上,实现了针对多类脆弱性的检测模型.基于对脆弱代码的语法和语义特征分析,从语法分析树抽取特定的关键节点类型描述不同的脆弱性类型,将4种基本克隆类型细化拓展到更多类,通过遍历代码片段对应的语法分析树中关键节点的数量,构造对应的特征矩阵.从公开漏洞数据库中抽取部分实例作为基本知识库,通过对代码进行基于多种克隆类型的聚类计算,达到了从被测软件代码中检测脆弱代码的目的.与基于单一特征向量的检测方法相比,对脆弱性特征的描述更加精确,更具有针对性,并且弥补了形式化检测方法在脆弱性类型覆盖能力上的不足.在对android-kernel代码的测试中发现了9个脆弱性.对不同规模软件代码的测试结果表明,该方法的时间开销和被测代码规模成线性关系.     

基于安卓系统的代码隐藏类规避技术检测框架

随着恶意软件检测和分析技术的发展,大量恶意软件采用规避技术来对抗安全分析。其中,代码隐藏类规避技术将应用代码对静态分析隐藏起来,使分析结果错误或缺失。爆炸式增长的恶意软件数量要求了对代码隐藏类规避技术的自动化检测。通过对142个恶意样本进行人工分析,总结出一种代码隐藏类规避技术的检测方法,并实现了一个通用的自动化检测框架。使用检测框架在第三方应用市场2 278个样本上进行了实验,发现有34.9%的样本使用了代码隐藏类规避技术。     

恶意代码的变形技术研究

恶意代码常常使用一些隐形技术来躲避反病毒软件的检测。然而,采用加密和多态技术的恶意代码已经难以躲避基于特征码和代码仿真技术的检测,而变形技术却呈现出较强的反检测能力。通过对变形技术作深入的分析,详细介绍了变形引擎及其所采用的代码混淆技术,以及当前的变形恶意代码检测技术,并简要分析了变形技术在软件防护领域的应用。     

基于智能特征码的反病毒引擎设计

针对传统反病毒引擎的体系结构难于扩展的缺点,通过分析其数学模型,提出新的基于触发检测逻辑的反病毒引擎模型,实现相应的原型系统。利用增加特征码的语义来抽取固化的检测逻辑,提高反病毒引擎的可扩展性,增强对新病毒及病毒变种的检测能力。实验结果证明,该引擎可以检测出11种常见病毒的变种,具有较高的准确性。     

Dynamic emulation based modeling and detection of polymorphic shellcode at the network level

It is a promising way to detect polymorphic shellcode using emulation method. However, previous emulation-based approaches are limited in their performance and resilience against evasions. A new enhanced emulation-based detection approach is proposed, including an automaton-based model of the dynamic behavior of polymorphic shellcode and a detection algorithm, the detection criterion of which is derived from that model and ensures high detection accuracy. The algorithm also contains several optimization techniques, highly improving the running performance and the resilience against detection evasion shellcode. We have implemented a prototype system for our approach. The advantages of our algorithm are validated by the experiments with real network data, polymorphic shellcode samples generated by available polymorphic engines and hand-crafted detection evasion shellcode.     

Network-level polymorphic shellcode detection using emulation

Significant progress has been made in recent years towards preventing code injection attacks at the network level. However, as state-of-the-art attack detection technology becomes more prevalent, attackers are likely to evolve, employing techniques such as polymorphism and metamorphism to defeat these defenses. A major outstanding question in security research and engineering is thus whether we can proactively develop the tools needed to contain advanced polymorphic and metamorphic attacks. While recent results have been promising, most of the existing proposals can be defeated using only minor enhancements to the attack vector. In fact, some publicly-available polymorphic shellcode engines are currently one step ahead of the most advanced publicly-documented network-level detectors. In this paper, we present a heuristic detection method that scans network traffic streams for the presence of previously unknown polymorphic shellcode. In contrast to previous work, our approach relies on a NIDS- embedded CPU emulator that executes every potential instruction sequence in the inspected traffic, aiming to identify the execution behavior of polymorphic shellcode. Our analysis demonstrates that the proposed approach is more robust to obfuscation techniques like self-modifications compared to previous proposals, but also highlights advanced evasion techniques that need to be more closely examined towards a satisfactory solution to the polymorphic shellcode detection problem.     

An artificial intelligence membrane to detect network intrusion

We propose an artificial intelligence membrane to detect network intrusion, which is analogous to a biological membrane that prevents viruses from entering cells. This artificial membrane is designed to monitor incoming packets and to prevent a malicious program code (e.g., a shellcode) from breaking into a stack or heap in a memory. While monitoring incoming TCP packets, the artificial membrane constructs a TCP segment of incoming packets, and derives the byte frequency of the TCP segment (from 0 to 255 bytes) as well as the entropy and size of the segment. These features of the segment can be classified by a data-mining technique such as a decision tree or neural network. If the data-mining method finds a suspicious byte sequence, the sequence is emulated to ensure that it is just a shellcode. If the byte sequence is a shellcode, the sequence is dropped. At the same time, an alert is communicated to the system administrator. Our experiments examined seven data-mining methods for normal and malicious network traffic. The malicious traffic included 114 shellcodes, provided by the Metasploit framework, and including 10 types of metamorphic or polymorphic shellcodes. In addition, real network traffic involving shellcodes was examined. We found that a random forest method outperformed all the other datamining methods and had a very high detection accuracy, including a true-positive rate of 99.6% and a false-positive rate of 0.4%.     

Filter-resistant code injection on ARM

Code injection attacks are one of the most powerful and important classes of attacks on software. In these attacks, the attacker sends malicious input to a software application, where it is stored in memory. The malicious input is chosen in such a way that its representation in memory is also a valid representation of a machine code program that performs actions chosen by the attacker. The attacker then triggers a bug in the application to divert the control flow to this injected machine code. A typical action of the injected code is to launch a command interpreter shell, and hence the malicious input is often called shellcode. Attacks are usually performed against network facing applications, and such applications often perform validations or encodings on input. Hence, a typical hurdle for attackers, is that the shellcode has to pass one or more filtering methods before it is stored in the vulnerable application??s memory space. Clearly, for a code injection attack to succeed, the malicious input must survive such validations and transformations. Alphanumeric input (consisting only of letters and digits) is typically very robust for this purpose: it passes most filters and is untouched by most transformations. This paper studies the power of alphanumeric shellcode on the ARM architecture. It shows that the subset of ARM machine code programs that (when interpreted as data) consist only of alphanumerical characters is a Turing complete subset. This is a non-trivial result, as the number of instructions that consist only of alphanumeric characters is very limited. To craft useful exploit code (and to achieve Turing completeness), several tricks are needed, including the use of self-modifying code.     

通用代码Shell化技术研究

代码Shell化技术是一种实现程序从源码形态到二进制形态的程序变换技术。该技术可用于实现Shellcode生成,生成包括漏洞利用过程中的Shellcode及后渗透测试过程中的功能性Shellcode。文中形式化地描述了程序中代码与数据的关系,提出了一种基于LLVM(Low Level Virtual Machine)的通用程序变换方法,该方法可用于实现操作系统无关的代码Shell化。该技术通过构建代码内置全局数据表和添加动态重定位代码,将代码对数据的绝对内存地址访问转化为对代码内部全局数据表的相对地址访问,重构了代码与数据之间的引用关系,解决了代码执行过程中对操作系统重定位机制依赖的问题,使得生成的Shellcode代码具有位置无关特性。在验证实验中,使用适用于不同操作系统的不同规模的工程源码对基于该技术实现的Shellcode生成系统进行了功能测试,并对比了Shell化前后代码功能的一致性、文件大小、函数数量和运行时间,实验结果表明基于该技术的Shellcode生成系统功能正常,具有较好的兼容性和通用性。     

On the infeasibility of modeling polymorphic shellcode

Current trends demonstrate an increasing use of polymorphism by attackers to disguise their exploits. The ability for malicious code to be easily, and automatically, transformed into semantically equivalent variants frustrates attempts to construct simple, easily verifiable representations for use in security sensors. In this paper, we present a quantitative analysis of the strengths and limitations of shellcode polymorphism, and describe the impact that these techniques have in the context of learning-based IDS systems. Our examination focuses on dual problems: shellcode encryption-based evasion methods and targeted “blending” attacks. Both techniques are currently being used in the wild, allowing real exploits to evade IDS sensors. This paper provides metrics to measure the effectiveness of modern polymorphic engines and provide insights into their designs. We describe methods to evade statistics-based IDS sensors and present suggestions on how to defend against them. Our experimental results illustrate that the challenge of modeling self-modifying shellcode by signature-based methods, and certain classes of statistical models, is likely an intractable problem.     

一种分布式的僵尸网络实时检测算法

僵尸网络通过控制的主机实现多类恶意行为,使得当前的检测方法失效,其中窃取敏感数据已经成为主流。鉴于僵尸网络实现的恶意行为,检测和减轻方法的研究已经势在必行。提出了一种新颖的分布式实时僵尸网络检测方法,该方法通过将Netflow组织成主机Netflow图谱和主机关系链,并提取隐含的C&C通信特征来检测僵尸网络。同时,基于Spark Streaming分布式实时流处理引擎,使用该算法实现了BotScanner分布式检测系统。为了验证该系统的有效性,采用5个主流的僵尸网络家族进行训练,并分别使用模拟网络流量和真实网络流量进行测试。实验结果表明,在无需深度包解析的情况下,BotScanner分布式检测系统能够实时检测指定的僵尸网络,并获得了较高的检测率和较低的误报率。而且,在真实的网络环境中,BotScanner分布式检测系统能够进行实时检测,加速比接近线性,验证了Spark Streaming引擎在分布式流处理方面的优势,以及用于僵尸网络检测方面的可行性。