Analyzing network traffic to detect self-decrypting exploit code

Zhang, Qinghua; Reeves, Douglas S.; Ning, Peng; Iyer, S. Purushothaman

doi:10.1145/1229285.1229291

Cited by 39 publications

(51 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Zhang et al [31] proposed another emulator to detect polymorphic shellcode. In addition, they use a static analysis method to identify the start point of polymorphic shellcode which is potentially faster than [23].…”

Section: Related Workmentioning

confidence: 99%

STILL: Exploit Code Detection via Static Taint and Initialization Analyses

Wang

Jhi

Zhu

et al. 2008

2008 Annual Computer Security Applications Conference (ACSAC)

View full text Add to dashboard Cite

show abstract

Section: Related Workmentioning

confidence: 99%

STILL: Exploit Code Detection via Static Taint and Initialization Analyses

Wang

Jhi

Zhu

et al. 2008

2008 Annual Computer Security Applications Conference (ACSAC)

View full text Add to dashboard Cite

show abstract

“…Dynamic code analysis using network-level emulation [22] is not hindered by such obfuscations, and thus can detect even extensively obfuscated shellcodes but is currently able to detect only self-contained polymorphic shellcode. Zhang et al [35] propose to combine network-level emulation with static and data flow analysis for improving runtime detection performance. However, the proposed method requires the presence of a decryption loop in the shellcode, and thus will miss any polymorphic shellcodes that use unrolled loops or linear code, such as those presented in Sec.…”

Section: Related Workmentioning

confidence: 99%

“…However, recent advances in shellcode development have demonstrated that in certain cases, it is possible to construct a polymorphic shellcode which i) does not rely on any form of GetPC code, and ii) does not read its own memory addresses during the decryption process. A shellcode that uses either or both of these features will thus evade current network-level emulation approaches [22,35]. In the following, we describe examples of both cases.…”

Section: Non-self-contained Polymorphic Shellcodementioning

confidence: 99%

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Polychronakis

Anagnostakis

Markatos

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Network-level emulation has recently been proposed as a method for the accurate detection of previously unknown polymorphic code injection attacks. In this paper, we extend network-level emulation along two lines. First, we present an improved execution behavior heuristic that enables the detection of a certain class of non-self-contained polymorphic shellcodes that are currently missed by existing emulation-based approaches. Second, we present two generic algorithmic optimizations that improve the runtime performance of the detector. We have implemented a prototype of the proposed technique and evaluated it using off-the-shelf non-self-contained polymorphic shellcode engines and benign data. The detector achieves a modest processing throughput, which however is enough for decent runtime performance on actual deployments, while it has not produced any false positives. Finally, we report attack activity statistics from a seven-month deployment of our prototype in a production network, which demonstrate the effectiveness and practicality of our approach.

show abstract

“…Zhang et al [164] introduce a detection technique for polymorphic code through static identification of its self-decryption functionality. Limited emulation of instructions is used in conjunction with recursive traversal of loops to find the starting location of the respective routine.…”

Section: Malware Analysis Solutionsmentioning

confidence: 99%

Semantics-aware detection of targeted attacks: a survey

Luh

Marschalek

Kaiser

et al. 2016

J Comput Virol Hack Tech

View full text Add to dashboard Cite

In today's interconnected digital world, targeted attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers contribute to the fight against network intrusions or malicious software by proposing novel detection systems or analysis methods. However, few of these solutions have a particular focus on Advanced Persistent Threats or similarly sophisticated multi-stage attacks. This turns finding domainappropriate methodologies or developing new approaches into a major research challenge. To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. We introduce a detailed literature evaluation schema in addition to a highly granular model for article categorization. Out of 123 identified papers, 60 were found to be relevant in the context of this study. The selected articles are comprehensively reviewed and assessed in accordance to Kitchenham's guidelines for systematic literature reviews. In conclusion, we combine new insights and the status quo of current research into the concept of an ideal systemic approach capable of semantically processing and evaluating information from different observation points.

show abstract

Analyzing network traffic to detect self-decrypting exploit code

Cited by 39 publications

References 11 publications

STILL: Exploit Code Detection via Static Taint and Initialization Analyses

STILL: Exploit Code Detection via Static Taint and Initialization Analyses

Emulation-Based Detection of Non-self-contained Polymorphic Shellcode

Semantics-aware detection of targeted attacks: a survey

Contact Info

Product

Resources

About