Abstract
The research on the detection of zero-day network attack and the signature generation is highlighted as an issue according to the outbreak of the new network attack is faster than a prediction. In this paper, we propose a very practical method that detects the executable codes within the network packet payload. It could be used as the key function of the signature generation against the zero-day attack or the high speed anomaly detection. The proposed heuristic method in this paper could be expressed in terms of visually classifying the characteristic of the instruction pattern of executable codes. And then we generalize this by applying the discrete parameter Markov chain. Our experimental study showed that the presented scheme could find all types of executable codes in our experiments.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Kreibich, C., Crowcroft, J.: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II), Boston (2003)
Newsome, J., Karp, B., Song, D.X.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy, pp. 226–241. IEEE Computer Society, Los Alamitos (2005)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: OSDI, pp. 45–60 (2004)
Singh, S., Estan, C., Varghese, G., Savage, S.: The EarlyBird system for realtime detection of unknown worms. Technical Report CS2003-0761, UC San Diego (2003)
Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphicworms with provable attack resilience. In: S&P, pp. 32–47 (2006)
Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In: ACSAC 2006. Proceedings of the 22nd Annual Computer Security Applications Conference on Annual Computer Security Applications Conference, pp. 289–300. IEEE Computer Society, Washington (2006)
Christodorescu, M., Jha, S., Seshia, S.A., Song, D.X., Bryant, R.E.: Semantics-aware malware detection. In: IEEE Symposium on Security and Privacy, pp. 32–46. IEEE Computer Society Press, Los Alamitos (2005)
Kruegel, C., Robertson, W., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: SSYM’04. Proceedings of the 13th conference on USENIX Security Symposium, Berkeley, CA, USA, p. 18. USENIX Association (2004)
Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.G.: Stride: Polymorphic sled detection through instruction sequence analysis. In: SEC, pp. 375–392 (2005)
Chinchani, R., van den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006)
Toth, T., Krügel, C.: Accurate buffer overflow detection via abstract payload execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002)
Wang, X., Pan, C.-C., Liu, P., Zhu, S.: Sigfree: a signature-free buffer overflow attack blocker. In: USENIX-SS 2006. Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA, p. -16. USENIX Association (2006)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 54–73. Springer, Heidelberg (2006)
jt: Libdasm. http://www.klake.org/jt/misc/libdasm-1.4.tar.gz
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, I., Kang, K., Choi, Y., Kim, D., Oh, J., Han, K. (2007). A Practical Approach for Detecting Executable Codes in Network Traffic. In: Ata, S., Hong, C.S. (eds) Managing Next Generation Networks and Services. APNOMS 2007. Lecture Notes in Computer Science, vol 4773. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75476-3_36
Download citation
DOI: https://doi.org/10.1007/978-3-540-75476-3_36
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75475-6
Online ISBN: 978-3-540-75476-3
eBook Packages: Computer ScienceComputer Science (R0)