TY - GEN
T1 - Comprehensive shellcode detection using runtime heuristics
AU - Polychronakis, Michalis
AU - Anagnostakis, Kostas G.
AU - Markatos, Evangelos P.
PY - 2010
Y1 - 2010
N2 - A promising method for the detection of previously unknown code injection attacks is the identification of the shellcode that is part of the attack vector using payload execution. Existing systems based on this approach rely on the self-decrypting behavior of polymorphic code and can identify only that particular class of shellcode. Plain, and more importantly, metamorphic shellcode do not carry a decryption routine nor exhibit any self-modifications and thus both evade existing detection systems. In this paper, we present a comprehensive shellcode detection technique that uses a set of runtime heuristics to identify the presence of shellcode in arbitrary data streams. We have identified fundamental machine-level operations that are inescapably performed by different shellcode types, based on which we have designed heuristics that enable the detection of plain and metamorphic shellcode regardless of the use of self-decryption. We have implemented our technique in Gene, a code injection attack detection system based on passive network monitoring. Our experimental evaluation and real-world deployment show that Gene can effectively detect a large and diverse set of shellcode samples that are currently missed by existing detectors, while so far it has not generated any false positives.
AB - A promising method for the detection of previously unknown code injection attacks is the identification of the shellcode that is part of the attack vector using payload execution. Existing systems based on this approach rely on the self-decrypting behavior of polymorphic code and can identify only that particular class of shellcode. Plain, and more importantly, metamorphic shellcode do not carry a decryption routine nor exhibit any self-modifications and thus both evade existing detection systems. In this paper, we present a comprehensive shellcode detection technique that uses a set of runtime heuristics to identify the presence of shellcode in arbitrary data streams. We have identified fundamental machine-level operations that are inescapably performed by different shellcode types, based on which we have designed heuristics that enable the detection of plain and metamorphic shellcode regardless of the use of self-decryption. We have implemented our technique in Gene, a code injection attack detection system based on passive network monitoring. Our experimental evaluation and real-world deployment show that Gene can effectively detect a large and diverse set of shellcode samples that are currently missed by existing detectors, while so far it has not generated any false positives.
KW - code emulation
KW - payload execution
KW - shellcode detection
UR - https://www.scopus.com/pages/publications/78751476748
U2 - 10.1145/1920261.1920305
DO - 10.1145/1920261.1920305
M3 - Conference contribution
AN - SCOPUS:78751476748
SN - 9781450301336
T3 - Proceedings - Annual Computer Security Applications Conference, ACSAC
SP - 287
EP - 296
BT - Proceedings - 26th Annual Computer Security Applications Conference, ACSAC 2010
PB - IEEE Computer Society
ER -