Abstract
In this paper, we propose a light-weight framework using kernel machines for the detection of shellcodes used in drive-by download attacks. As the shellcodes are passed in webpages as JavaScript strings, we studied the effectiveness of the proposed approach on about 9850 shellcodes and 10000 JavaScript strings collected from the wild. Our analysis shows that the trained SVMs (Support Vector Machines) classified with an accuracy of over 99 %. Our evaluation of the trained SVM models with different proportions of training datasets proved to perform consistently with an average accuracy of 99.51 % and the proposed static approach proved to be effective against detecting even the polymorphic shellcode variants. The performance of our approach was compared to an emulation based approach and observed that our approach performed with slightly better accuracies by consuming about 33 % of the time consumed by the emulation based approach.
Similar content being viewed by others
References
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser analysis of web-based malware. In: First Workshop on Hot Topics in Understanding Botnets, Cambridge, Massachussetts (2007)
Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-Cloaking Internet Malware. Technical Report MSR-TR-2011-94, Microsoft Research Technical, Report (2011)
Polychronakis, M., Provos, N.: Ghost turns zombie: exploring the life cycle of web-based malware. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, California (2008)
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security Symposium, San Jose, California (2008)
Stone-Gross, B., Cova, M., Kruegel, C., Vigna, G.: Peering through the iFrame. In: Proceedings of the International Conference on Computer Communications (INFOCOM) Mini Conference, Shanghai, China (2011)
Web Browser Plug-in Vulnerabilities. Symantec: http://www.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=web_browser_plug_in_vulnerabilities (2011). Accessed 13 May 2012
Symantec Intelligence Report: February 2012. Symantec. http://www.symantec.com/connect/blogs/symantec-intelligence-report-february-2012 (2012). Accessed 13 May 2012
Symantec Report on Attack Kits and Malicious Websites. Symantec. http://www.symantec.com/content/en/us/enterprise/other_resources/b-symantec_report_on_attack_kits_and_malicious_websites_21169171_WP.en-us.pdf (2011). Accessed 15 Sep 2011
Cherukuri, M., Mukkamala, S., Shin, D.: Similarity analysis of shellcodes in drive-by download attack kits. In: Proceedings of the 7th International Workshop on Trusted Collaboration (TrustCol’12-in conjunction with CollaborateCom 12), Pittsburgh, Pennsylvania (2012)
Treasury websites compromised. Websense. http://community.websense.com/blogs/securitylabs/archive/2010/05/04/treasury-websites-compromised.aspx (2010). Accessed 25 May 2012
Dinaburg, A., Royal, P., Shariff, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, Virginia (2008)
Rieck, K., Trinius, P., Williams, C., Holz, T.: Automatic analysis of malware behavior using machine learning. Proc. J. Comput. Secur. (2011)
Shankarpani, M.K., Ramamoorthy, S., Movva, R.S., Mukkamala, S.: Malware detection using assembly and API call sequences. Proc. J. Comput. Virol. 7(2), 107–119 (2011)
Hex-Rays: Ida pro disassembler and debugger. http://www.hex-rays.com/products/ida/index.shtml
Yuschuk, O.: Ollydbg. http://www.ollydbg.de/
Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: an attack-agnostic approach for preventing drive-by malware infections. In: Procedings of ACM Conference of Computer and Communications Security, Chicago, Illinois (2010)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. In: IEEE security and privacy, Oakland, California (2007)
Bayer, U.: Anubis-analyzing unknown binaries. http://www.anubis.iseclab.org
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security Symposium, Vancouver, Canada (2006)
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D. X.: Dynamic spyware analysis. In: USENIX Annual Technical Conference, Santa Clara, California, pp. 233–246 (2007)
Roesch, M.: Snort-lightweight intrusion detection for networks. In: 13th Systems AdministrationConference (LISA), Seattle, Washington (1999)
Zhang, J., Seifert, C., Stokes, J.W., Lee, W.: ARROW: generating signatures to detect drive-by downloads. In: International World Wide Web Conference (WWW), Hyderabad, India (2011)
Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead mostly static JavaScript malware detection. In: Proceedings of the USENIX Security Symposium, San Francisco, California (2011)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: Annual Computer Security Applications Conference (ACSAC), Austin, Texas (2010)
Fratantonio, Y., Kruegel, C., Vigna, G.: Shellzer: a tool for the dynamic analysis of malicious shellcode. In: Recent Advances In Intrusion Detection, Menlo Park, California (2011)
Libemu-x86 Shellcode Detection. http://libemu.carnivore.it
Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In: Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Milan, Italy (2009)
Gu, B., Bai, X., Yang, Z., Champion, A.C., Xuan, D.: Malicious shellcode detection with virtual memory snapshots. In: International Conference on Computer Communications (INFOCOM), San Diego, California, pp. 974–982 (2010)
Intel Architecture Software Developer’s Manual, vol. 2: Instruction Set Reference. http://download.intel.com/design/intarch/manuals/24319101.pdf. Accessed 15 Dec 2011
Win32 Assembly Components: The Last Stage of Delirium Research Group. http://lsd-pl.net/projects/ (2002). Accessed 15 Dec 2011
Charlier, B.L., Mounji, A., Swimmer, M., Informatik, F.: Dynamic detection and classification of computer viruses using general behavior patterns. In: Proceedings of the 5th International Virus Bulletin Conference, pp. 75–88 (1995)
Bilar, D.: Opcode as predictors for malware. Proc. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (2007)
Muttik, I.: Stripping down an AV engine. In: Virus Bulletin Conference (2000)
Santos, I., Brezo, F., Nieves, J., Penya, Y., Sanz, B., Laorden, C., Bringas, P.G.: Idea: opcode sequence-based malware detection. In: Proceedings of the Engineering Secure Software and Systems, LNCS, vol. 5965, pp. 35–43 (2010)
libdisasm: x86 Disassembler Library. Retrieved: September 22, 2011, from: http://bastard.sourceforge.net/libdisasm.html (2011). Accessed 22 Sep 2011
Wepawet. http://wepawet.iseclab.org/
jsunpack: A Generic JavaScript Unpacker. http://jsunpack.jeek.org/
Malware Domain List. http://www.malwaredomainlist.com
Metasploit: Rapid7. http://www.metasploit.com. Accessed 15 May 2012
Alexa: Top Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip
Lee, J.H., Lin, C.J.: Automatic Model Selection for Support Vector Machines. Department of Computer Science and Information Engineering, National Taiwan University, Technical Report (2000)
Cherkassy, V.: Model complexity control and statistical learning theory. J. Nat. Comput. 1, 109–133 (2002)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cherukuri, M., Mukkamala, S. & Shin, D. Detection of shellcodes in drive-by attacks using kernel machines. J Comput Virol Hack Tech 10, 189–203 (2014). https://doi.org/10.1007/s11416-013-0195-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-013-0195-2