TY - GEN
T1 - Using instruction sequence abstraction for shellcode detection and attribution
AU - Zhao, Ziming
AU - Ahn, Gail-Joon
PY - 2013
Y1 - 2013
N2 - Although several research teams have focused on binary code injection, it is still an unsolved problem. Misuse-based detection lacks the flexibility to tackle unseen malicious code samples and anomaly-based detection on byte patterns is highly vulnerable to byte cramming and blending attacks. In addition, it is desperately needed to correlate newly-detected code injection instances with known samples for better understanding the attack events and tactically mitigating future threats. In this paper, we propose a technique for modeling shellcode detection and attribution through a novel feature extraction method, called instruction sequence abstraction, that extracts coarse-grained features from an instruction sequence. Our technique facilitates a Markov-chain-based model for shellcode detection and support vector machines for encoded shellcode attribution. We also describe our experimental results on shellcode samples to demonstrate the effectiveness of our approach.
AB - Although several research teams have focused on binary code injection, it is still an unsolved problem. Misuse-based detection lacks the flexibility to tackle unseen malicious code samples and anomaly-based detection on byte patterns is highly vulnerable to byte cramming and blending attacks. In addition, it is desperately needed to correlate newly-detected code injection instances with known samples for better understanding the attack events and tactically mitigating future threats. In this paper, we propose a technique for modeling shellcode detection and attribution through a novel feature extraction method, called instruction sequence abstraction, that extracts coarse-grained features from an instruction sequence. Our technique facilitates a Markov-chain-based model for shellcode detection and support vector machines for encoded shellcode attribution. We also describe our experimental results on shellcode samples to demonstrate the effectiveness of our approach.
UR - http://www.scopus.com/inward/record.url?scp=84893589593&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84893589593&partnerID=8YFLogxK
U2 - 10.1109/CNS.2013.6682722
DO - 10.1109/CNS.2013.6682722
M3 - Conference contribution
AN - SCOPUS:84893589593
SN - 9781479908950
T3 - 2013 IEEE Conference on Communications and Network Security, CNS 2013
SP - 323
EP - 331
BT - 2013 IEEE Conference on Communications and Network Security, CNS 2013
PB - IEEE Computer Society
T2 - 1st IEEE International Conference on Communications and Network Security, CNS 2013
Y2 - 14 October 2013 through 16 October 2013
ER -