Skip to main content

A Practical Approach for Detecting Executable Codes in Network Traffic

  • Conference paper
Managing Next Generation Networks and Services (APNOMS 2007)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 4773))

Included in the following conference series:

  • 1065 Accesses

Abstract

The research on the detection of zero-day network attack and the signature generation is highlighted as an issue according to the outbreak of the new network attack is faster than a prediction. In this paper, we propose a very practical method that detects the executable codes within the network packet payload. It could be used as the key function of the signature generation against the zero-day attack or the high speed anomaly detection. The proposed heuristic method in this paper could be expressed in terms of visually classifying the characteristic of the instruction pattern of executable codes. And then we generalize this by applying the discrete parameter Markov chain. Our experimental study showed that the presented scheme could find all types of executable codes in our experiments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II), Boston (2003)

    Google Scholar 

  2. Newsome, J., Karp, B., Song, D.X.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy, pp. 226–241. IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  3. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI, pp. 45–60 (2004)

    Google Scholar 

  4. Singh, S., Estan, C., Varghese, G., Savage, S.: The EarlyBird system for realtime detection of unknown worms. Technical Report CS2003-0761, UC San Diego (2003)

    Google Scholar 

  5. Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphicworms with provable attack resilience. In: S&P, pp. 32–47 (2006)

    Google Scholar 

  6. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006. Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pp. 289–300. IEEE Computer Society, Washington (2006)

    Google Scholar 

  7. Christodorescu, M., Jha, S., Seshia, S.A., Song, D.X., Bryant, R.E.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, pp. 32–46. IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  8. Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: SSYM’04. Proceedings of the 13th conference on USENIX Security Symposium, Berkeley, CA, USA, p. 18. USENIX Association (2004)

    Google Scholar 

  9. Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.G.: Stride: Polymorphic sled detection through instruction sequence analysis. In: SEC, pp. 375–392 (2005)

    Google Scholar 

  10. Chinchani, R., van den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  11. Toth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  12. Wang, X., Pan, C.-C., Liu, P., Zhu, S.: Sigfree: a signature-free buffer overflow attack blocker. In: USENIX-SS 2006. Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, p. -16. USENIX Association (2006)

    Google Scholar 

  13. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  14. jt: Libdasm. http://www.klake.org/jt/misc/libdasm-1.4.tar.gz

Download references

Author information

Authors and Affiliations

Authors

Editor information

Shingo Ata Choong Seon Hong

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Kim, I., Kang, K., Choi, Y., Kim, D., Oh, J., Han, K. (2007). A Practical Approach for Detecting Executable Codes in Network Traffic. In: Ata, S., Hong, C.S. (eds) Managing Next Generation Networks and Services. APNOMS 2007. Lecture Notes in Computer Science, vol 4773. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75476-3_36

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-75476-3_36

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-75475-6

  • Online ISBN: 978-3-540-75476-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics