ISSN 1000-1239 CN 11-1777/TP

计算机研究与发展 ›› 2014, Vol. 51 ›› Issue (8): 1704-1714.doi: 10.7544/issn1000-1239.2014.20121149

• 信息安全 • 上一篇    下一篇

一种基于双模式虚拟机的多态Shellcode检测方法

罗 杨,夏春和,李亚卓,魏 昭,梁晓艳   

  1. (北京航空航天大学网络技术北京市重点实验室 北京 100191) (veotax@sae.buaa.edu.cn)
  • 出版日期: 2014-08-15
  • 基金资助: 
    基金项目:国家自然科学基金项目(61170295);国防基础科研计划项目(A2120110006);北京市教育委员会共建项目建设计划项目(JD100060630);中航工业产学研项目(CXY2011BH07)

A Polymorphic Shellcode Detection Method Based on Dual-Mode Virtual Machine

Luo Yang, Xia Chunhe, Li Yazhuo, Wei Zhao, Liang Xiaoyan   

  1. (Key Laboratory of Beijing Network Technology, Beihang University, Beijing 100191)
  • Online: 2014-08-15

摘要: 近年来,Shellcode攻击通常利用多态技术进行自我加密来绕过网络层设备的检测,而现有检测方法无法区分多态Shellcode与加壳保护代码.提出了一种基于双模式虚拟机的多态Shellcode检测方法,该方法改进了现有的GetPC定位机制,实现了Shellcode的初步定位,通过IA-32指令识别对网络流量的进行进一步过滤,利用有限自动机及其判别条件实现虚拟机控制流模式和数据流模式之间的切换,并通过结合现有的特征匹配技术实现对多层加密的多态Shellcode的检测.实验结果表明,针对大量真实的网络数据,该方法在保证高检测召回率的同时,能够实现对多态Shellcode与加壳保护软件的有效区分,避免了对正常流量的误报行为,并且时间开销介于静态分析与动态模拟之间,为网络层检测多态Shellcode提供了一种有效方法.

关键词: 多态Shellcode, GetPC定位, 指令识别, 虚拟机, 控制流模式, 数据流模式, Define-Use链

Abstract: Malicious code such as virus and worm propagates and attacks via the Internet which compromises network securities seriously. By exploiting vulnerabilities of services running on a remote host, the malicious code can inject shellcode into the host and gain complete control over it. Recently, shellcode attacks tend to evade network detection by employing polymorphic techniques. However, previous detection methods lack the real-time performance, resilience against evasions and the consideration of distinguishing polymorphic shellcode from normal shell protected code. We propose an enhanced polymorphic shellcode detection approach based on dual-mode virtual machine. We firstly filter network traffic via an improved GetPC location mechanism and IA-32 instruction recognition method, subsequently implement a dual-mode virtual machine to execute the target instruction flow by transferring states of the finite automaton between control-flow mode and data-flow mode according to various decision conditions. A prototype system has been implemented for our approach and experimental results indicate that when detecting real network data mixed with the polymorphic shellcode samples, the approach we proposed succeeds in differentiating the polymorphic shellcode from shell protected software without losing its accuracy and its time complexity lies between the static analysis and dynamic emulation, which makes it an encouraging method for network attack detection.

Key words: polymorphic shellcode, GetPC location, instruction recognition, virtual machine, control-flow mode (CFM), data-flow mode (DFM), Define-Use chain

中图分类号: