A practical approach for detecting executable codes in network traffic

Authors:
Ikkyun Kim;Koohong Kang;YangSeo Choi;Daewon Kim;Jintae Oh;Kijun Han
Affiliations:
Information Security Research Division, ETRI, Daejeon, Korea;Dept. of Information and Communications Engineering, Seowon University, Chongju, South Korea;Information Security Research Division, ETRI, Daejeon, Korea;Information Security Research Division, ETRI, Daejeon, Korea;Information Security Research Division, ETRI, Daejeon, Korea;Dept. of Computer Engineering, Kyungpook National University, Daegu, South Korea
Venue:
APNOMS'07 Proceedings of the 10th Asia-Pacific conference on Network Operations and Management Symposium: managing next generation networks and services
Year:
2007

Citing 10
Cited 3

Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware

ACSAC '06 Proceedings of the 22nd Annual Computer Security Applications Conference
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Static disassembly of obfuscated binaries

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
SigFree: a signature-free buffer overflow attack blocker

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Accurate buffer overflow detection via abstract payload execution

RAID'02 Proceedings of the 5th international conference on Recent advances in intrusion detection
Network–Level polymorphic shellcode detection using emulation

DIMVA'06 Proceedings of the Third international conference on Detection of Intrusions and Malware & Vulnerability Assessment
A fast static analysis approach to detect exploit code inside network flows

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

English shellcode

Proceedings of the 16th ACM conference on Computer and communications security
NOZZLE: a defense against heap-spraying code injection attacks

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
SHELLOS: enabling fast detection and forensic analysis of code injection attacks

SEC'11 Proceedings of the 20th USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

The research on the detection of zero-day network attack and the signature generation is highlighted as an issue according to the outbreak of the new network attack is faster than a prediction. In this paper, we propose a very practical method that detects the executable codes within the network packet payload. It could be used as the key function of the signature generation against the zero-day attack or the high speed anomaly detection. The proposed heuristic method in this paper could be expressed in terms of visually classifying the characteristic of the instruction pattern of executable codes. And then we generalize this by applying the discrete parameter Markov chain. Our experimental study showed that the presented scheme could find all types of executable codes in our experiments.