Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Analyzing network traffic to detect self-decrypting exploit code
ASIACCS '07 Proceedings of the 2nd ACM symposium on Information, computer and communications security
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
SigFree: a signature-free buffer overflow attack blocker
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Accurate buffer overflow detection via abstract payload execution
RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Emulation-based detection of non-self-contained polymorphic shellcode
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Network–Level polymorphic shellcode detection using emulation
DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
A fast static analysis approach to detect exploit code inside network flows
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
The general method in which attackers obtain the control authority of the remote host is through the exploit code. As network security systems have mounted the desired signatures about exploits, they have reduced damage due to the spreading and reoccurrence of the exploits. However, to avoid signature-based detection techniques, exploits employing techniques such as polymorphism and metamorphism have become more prevalent. Especially in the case of polymorphism, because there are many automation engines even if there is no special knowledge in order to make various exploits easily, the polymorphism researches need to be more actively studied. We present a new static analysis method for detecting the decryption routine of polymorphic exploit code. Most of decryption routines store the program counter value of remote host on a stack and use the value as the address for accessing the memory that the encrypted original code is positioned. The proposed method traces the processing steps of decryption routine as using the static analysis method. In the results of experiment, the proposed method can detect polymorphic exploit codes that the static analysis resistant techniques are used, and shows more efficient than the emulation-based method in the processing performance.