2006
DOI: 10.1007/11663812_15
|View full text |Cite
|
Sign up to set email alerts
|

A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows

Abstract: Abstract.A common way by which attackers gain control of hosts is through remote exploits. A new dimension to the problem is added by worms which use exploit code to self-propagate, and are becoming a commonplace occurrence. Defense mechanisms exist but popular ones are signature-based techniques which use known byte patterns, and they can be thwarted using polymorphism, metamorphism and other obfuscations. In this paper, we argue that exploit code is characterized by more than just a byte pattern because, in … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
2

Citation Types

0
103
0

Year Published

2006
2006
2020
2020

Publication Types

Select...
6
2

Relationship

0
8

Authors

Journals

citations
Cited by 72 publications
(103 citation statements)
references
References 22 publications
0
103
0
Order By: Relevance
“…Initial approaches focused on the identification of the sled component that often precedes the shellcode [2,29]. Recent works aim to detect the polymorphic shellcode itself using various approaches, such as the identification of structural similarities among different worm instances [15], control and data flow analysis [8,32], or neural networks [21].…”
Section: Related Workmentioning
confidence: 99%
“…Initial approaches focused on the identification of the sled component that often precedes the shellcode [2,29]. Recent works aim to detect the polymorphic shellcode itself using various approaches, such as the identification of structural similarities among different worm instances [15], control and data flow analysis [8,32], or neural networks [21].…”
Section: Related Workmentioning
confidence: 99%
“…In [52], Toth and Kruegel proposed identifying exploit code by detecting NOP sleds. However, attacks can bypass this detection technique by either excluding NOP sleds or by using polymorphic techniques [11,16,30]. Chritodorescu and colleagues [12,13] proposed techniques to detect malicious patterns in executables using semantic heuristics.…”
Section: Related Workmentioning
confidence: 99%
“…Lakhotia and Eric in [27] used content analysis techniques to detect obfuscated calls in binaries. Chinchani and van den Berg proposed a rule-based scheme in [11]. Wang et al proposed SigFree [55] that checks if network packets contain malicious codes using "push and call" patterns and the number of useful instructions in the longest possible execution chain.…”
Section: Related Workmentioning
confidence: 99%
“…In the past few years, many detection approaches [1], [3], [4], [6], [9] have been proposed. Basically, these methods can be divided into two categories: static analysis [3], [4] and dynamic analysis [1], [6], [9].…”
Section: Introductionmentioning
confidence: 99%
“…Basically, these methods can be divided into two categories: static analysis [3], [4] and dynamic analysis [1], [6], [9]. The core idea of static analysis is to disassemble the network stream and then analyze the code-level patterns that could be signatures obtained from existing shellcode.…”
Section: Introductionmentioning
confidence: 99%