Polymorphic Code Detection with GA Optimized Markov Models

Payer, Udo; Kraxberger, Stefan

doi:10.1007/11552055_21

Cited by 5 publications

(6 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Note that, Clet engine is endowed with a spectrum analysis mechanism which was designed in order to defeat Data Mining methods. However, evaluation results obtained in [36,37] show a detection rate of 100% for Clet engine with a low rate of false positives.…”

Section: Related Workmentioning

confidence: 80%

“…In these works, Data Mining methods are used as a learning process which is performed over a set of samples (positives and negatives datasets). For instance, in [37] authors suggest the use of Neural Networks as training process, whereas in [36] authors propose to use the Markov Chains. Note that, Clet engine is endowed with a spectrum analysis mechanism which was designed in order to defeat Data Mining methods.…”

Section: Related Workmentioning

confidence: 98%

“…Regarding anomaly-based approaches, there is only few works [36,37] that focus mainly on polymorphic shellcodes. In these works, Data Mining methods are used as a learning process which is performed over a set of samples (positives and negatives datasets).…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Specification and evaluation of polymorphic shellcode properties using a new temporal logic

Talbi¹,

Mejri²,

Bouhoula³

2008

J Comput Virol

View full text Add to dashboard Cite

International audienceIt is a well-known fact that polymorphism is one of the greatest find of malicious code authors. Applied in the context of Buffer Overflow attacks, the detection of such codes becomes very difficult. In view of this problematic, which constitutes a real challenge for all the international community, we propose in this paper a new formal language (based on temporal logics such as CTL) allowing to specify polymorphic codes, to detect them and to better understand their nature. The efficiency and the expressiveness of this language are shown via the specification of a variety of properties characterizing polymorphic shellcodes. Finally, to make the verification process automatic, this language is supported by a new IDS (Intrusion Detection System) that will also be presented in this paper

show abstract

Section: Related Workmentioning

confidence: 80%

Section: Related Workmentioning

confidence: 98%

See 1 more Smart Citation

Specification and evaluation of polymorphic shellcode properties using a new temporal logic

Talbi¹,

Mejri²,

Bouhoula³

2008

J Comput Virol

View full text Add to dashboard Cite

show abstract

“…This approach is robust but exhausted because of disassemble. Udo Payer et al [9] give a similar approach to detect executable code in flows, but use Markov Mode to bytes rather than instructions, so it achieves a better performance, but it cannot distinguish shellcode from benign executable code.…”

Section: Related Workmentioning

confidence: 99%

“…According to [9], the probability of occurrence of a byte sequence is evidently different between data and executable codes. We use Marcov Mode [9, 10] to profile the difference.…”

Section: Executable Codes Detectionmentioning

confidence: 99%

A Hybrid Detection Approach for Zero-Day Polymorphic Shellcodes

Chen

Zhang

Liu

2009

2009 International Conference on E-Business and Information System Security

View full text Add to dashboard Cite

Zero-day shellcodes has become a major threat to the Internet with complex obfuscation techniques. However, even the state-of-the-art NIDS has small chances of detecting them because they rely on known signatures. This paper presents Hybrid Detection for zero-day Polymorphic Shellcodes (HDPS) against shellcodes using various obfuscations. Our approach employs a heuristic approach to detect return address and filter mass innocent network flows, and then constructs a Markov Model to detect the existence and location of executable codes in suspicious flows. Finally, it applies an elaborate approach to detect NOP Sleds in the executable codes. Initial experiments show HDPS detects nearly all types of shellcodes, and the false positive rate approximates zero with low overhead.

show abstract

Shellcode Location Based on Register Information Flow

Kuang

Wang

2019

J. Phys.: Conf. Ser.

View full text Add to dashboard Cite

Due to the high detection accuracy of dynamic simulation in which network traffic is sent to the emulator as executable code to detect suspicious behaviour, static analysis has become less popular. Earlier static shellcode detection methods are mainly based on statistical method which focus on instruction abstract features or byte patterns. Although these method can be used for detection, it can’t guarantee the detection effect. It is hard for both of them to locate the position of shellcode. However, a new static analysis based approach is proposed in this paper. The shellcode instructions rely heavily on contextual information, so we use static disassembly to capture the fine-grained malicious mode of registers. In order to enhance the detection performance, several rules are designed based on the characteristics of the shellcode. Experimental results show that our method has certain potential, which may show better effects when combined with other shellcode detection methods.

show abstract

Polymorphic Code Detection with GA Optimized Markov Models

Cited by 5 publications

References 4 publications

Specification and evaluation of polymorphic shellcode properties using a new temporal logic

Specification and evaluation of polymorphic shellcode properties using a new temporal logic

A Hybrid Detection Approach for Zero-Day Polymorphic Shellcodes

Shellcode Location Based on Register Information Flow

Contact Info

Product

Resources

About