It is a promising way to detect polymorphic shellcode using emulation method. However, previous emulation-based approaches are limited in their performance and resilience against evasions. A new enhanced emulation-bas...It is a promising way to detect polymorphic shellcode using emulation method. However, previous emulation-based approaches are limited in their performance and resilience against evasions. A new enhanced emulation-based detection approach is proposed, including an automaton-based model of the dynamic behavior of polymorphic shellcode and a detection algorithm, the detection criterion of which is derived from that model and ensures high detection accuracy. The algorithm also contains several optimization techniques, highly improving the running performance and the resilience against detection evasion shellcode. We have implemented a prototype system for our approach. The advantages of our algorithm are validated by the experiments with real network data, polymorphic shellcode samples generated by available polymorphic engines and hand-crafted detection evasion shellcode.展开更多
文摘It is a promising way to detect polymorphic shellcode using emulation method. However, previous emulation-based approaches are limited in their performance and resilience against evasions. A new enhanced emulation-based detection approach is proposed, including an automaton-based model of the dynamic behavior of polymorphic shellcode and a detection algorithm, the detection criterion of which is derived from that model and ensures high detection accuracy. The algorithm also contains several optimization techniques, highly improving the running performance and the resilience against detection evasion shellcode. We have implemented a prototype system for our approach. The advantages of our algorithm are validated by the experiments with real network data, polymorphic shellcode samples generated by available polymorphic engines and hand-crafted detection evasion shellcode.
