摘要
Shellcode是缓冲区溢出漏洞攻击的核心代码部分,往往嵌入到文件和网络流量载体中。针对特征码匹配等检测手段存在时间滞后、准确率低等问题,结合人工免疫理论,提出一种采用实值编码的shellcode检测方法。收集shellcode样本并进行反汇编,利用n-gram模型对汇编指令序列提取特征生成抗原,作为免疫系统未成熟检测器来源,之后经历阴性选择算法的免疫耐受过程生成成熟检测器。对检测器进行克隆和变异,繁衍出更加优良的后代,提高检测器的多样性和亲和度。实验结果表明,该方法对非编码shellcode和多态shellcode均具有较高的检测准确率。
Shellcode is the core part of buffer overflow attacks,often is embedded in the files and network traffic.The signature code matching detection means have exposed some problems,such as time delays,low accuracy and so on.According to the artificial immune theory,this paper developed a real valued encoding based detection method for shellcode.As one source of immature detectors,the proposed method disassembled the collected shellcode samples and extracted the features from instruction sequence based on n -gram model.The immature detectors became mature detectors after immune tolerance using negative selection algorithm.To increase the diversity and affinity,the detectors were cloned and mutated to proliferate better offspring.Experimental result shows that the proposed method has higher detection accuracy for both non-encoded shellcode and polymorphic shellcode.
作者
芦天亮
蔡满春
高见
Lu Tianliang;Cai Manchun;Gao Jian(College of Information Technology & Network Security;CIC of Security & Law for Cyberspace,People's Public Security University of China,Beijing 100038,China)
出处
《计算机应用研究》
CSCD
北大核心
2018年第8期2409-2411,2416,共4页
Application Research of Computers
基金
国家自然科学基金资助项目(61602489)
国家重点研发计划"网络空间安全"重点专项资助项目(2017YFB0802804)
赛尔网络下一代互联网技术创新项目(NGII20160405)
