论文部分内容阅读
实践证明,通过模拟的方法对多态Shellcode进行检测是行之有效的.然而,现有的基于模拟的方法在性能和抗攻击性上仍有不足.提出了一种经过改进的基于模拟的检测方法,该方法包括一个基于自动机的多态Shellcode动态行为模型,以及基于该模型设计的具有高准确性的检测算法.该算法同时还采用了多种优化技术,能够显著提高检测系统的运行性能,以及应对规避检测型Shellcode的能力.通过一个原型系统实现了上述方法,且使用了大量真实网络数据,由多态引擎生成的多态Shellcode样本,以及手工构造的规避型Shellcode,实验验证了该算法的有效性和先进性能.
Practice has proved that it is effective to test the polymorphic Shellcode through the simulation method.However, the existing simulation-based methods are still deficient in performance and anti-aggression.An improved simulation-based detection Method, which includes a multi-state shellcode dynamic behavior model based on automaton and a high accuracy detection algorithm designed based on the model.The algorithm also uses a variety of optimization techniques which can significantly improve the performance of the detection system , As well as the ability to deal with evasive Shellcode.This method was implemented in a prototype system using a large amount of real network data, polymorphic Shellcode samples generated by polymorphic engines and hand-crafted circumvention Shellcode. The effectiveness and advanced performance of the algorithm.