Skip to main content
Log in

Detection of shellcodes in drive-by attacks using kernel machines

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

In this paper, we propose a light-weight framework using kernel machines for the detection of shellcodes used in drive-by download attacks. As the shellcodes are passed in webpages as JavaScript strings, we studied the effectiveness of the proposed approach on about 9850 shellcodes and 10000 JavaScript strings collected from the wild. Our analysis shows that the trained SVMs (Support Vector Machines) classified with an accuracy of over 99 %. Our evaluation of the trained SVM models with different proportions of training datasets proved to perform consistently with an average accuracy of 99.51 % and the proposed static approach proved to be effective against detecting even the polymorphic shellcode variants. The performance of our approach was compared to an emulation based approach and observed that our approach performed with slightly better accuracies by consuming about 33 % of the time consumed by the emulation based approach.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

References

  1. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser analysis of web-based malware. In: First Workshop on Hot Topics in Understanding Botnets, Cambridge, Massachussetts (2007)

  2. Kolbitsch, C., Livshits, B., Zorn, B., Seifert, C.: Rozzle: De-Cloaking Internet Malware. Technical Report MSR-TR-2011-94, Microsoft Research Technical, Report (2011)

  3. Polychronakis, M., Provos, N.: Ghost turns zombie: exploring the life cycle of web-based malware. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats, San Francisco, California (2008)

  4. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security Symposium, San Jose, California (2008)

  5. Stone-Gross, B., Cova, M., Kruegel, C., Vigna, G.: Peering through the iFrame. In: Proceedings of the International Conference on Computer Communications (INFOCOM) Mini Conference, Shanghai, China (2011)

  6. Web Browser Plug-in Vulnerabilities. Symantec: http://www.symantec.com/threatreport/topic.jsp?id=vulnerability_trends&aid=web_browser_plug_in_vulnerabilities (2011). Accessed 13 May 2012

  7. Symantec Intelligence Report: February 2012. Symantec. http://www.symantec.com/connect/blogs/symantec-intelligence-report-february-2012 (2012). Accessed 13 May 2012

  8. Symantec Report on Attack Kits and Malicious Websites. Symantec. http://www.symantec.com/content/en/us/enterprise/other_resources/b-symantec_report_on_attack_kits_and_malicious_websites_21169171_WP.en-us.pdf (2011). Accessed 15 Sep 2011

  9. Cherukuri, M., Mukkamala, S., Shin, D.: Similarity analysis of shellcodes in drive-by download attack kits. In: Proceedings of the 7th International Workshop on Trusted Collaboration (TrustCol’12-in conjunction with CollaborateCom 12), Pittsburgh, Pennsylvania (2012)

  10. Treasury websites compromised. Websense. http://community.websense.com/blogs/securitylabs/archive/2010/05/04/treasury-websites-compromised.aspx (2010). Accessed 25 May 2012

  11. Dinaburg, A., Royal, P., Shariff, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, Virginia (2008)

  12. Rieck, K., Trinius, P., Williams, C., Holz, T.: Automatic analysis of malware behavior using machine learning. Proc. J. Comput. Secur. (2011)

  13. Shankarpani, M.K., Ramamoorthy, S., Movva, R.S., Mukkamala, S.: Malware detection using assembly and API call sequences. Proc. J. Comput. Virol. 7(2), 107–119 (2011)

    Article  Google Scholar 

  14. Hex-Rays: Ida pro disassembler and debugger. http://www.hex-rays.com/products/ida/index.shtml

  15. Yuschuk, O.: Ollydbg. http://www.ollydbg.de/

  16. Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: an attack-agnostic approach for preventing drive-by malware infections. In: Procedings of ACM Conference of Computer and Communications Security, Chicago, Illinois (2010)

  17. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using CWSandbox. In: IEEE security and privacy, Oakland, California (2007)

  18. Bayer, U.: Anubis-analyzing unknown binaries. http://www.anubis.iseclab.org

  19. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security Symposium, Vancouver, Canada (2006)

  20. Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D. X.: Dynamic spyware analysis. In: USENIX Annual Technical Conference, Santa Clara, California, pp. 233–246 (2007)

  21. Roesch, M.: Snort-lightweight intrusion detection for networks. In: 13th Systems AdministrationConference (LISA), Seattle, Washington (1999)

  22. Zhang, J., Seifert, C., Stokes, J.W., Lee, W.: ARROW: generating signatures to detect drive-by downloads. In: International World Wide Web Conference (WWW), Hyderabad, India (2011)

  23. Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead mostly static JavaScript malware detection. In: Proceedings of the USENIX Security Symposium, San Francisco, California (2011)

  24. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: Annual Computer Security Applications Conference (ACSAC), Austin, Texas (2010)

  25. Fratantonio, Y., Kruegel, C., Vigna, G.: Shellzer: a tool for the dynamic analysis of malicious shellcode. In: Recent Advances In Intrusion Detection, Menlo Park, California (2011)

  26. Libemu-x86 Shellcode Detection. http://libemu.carnivore.it

  27. Egele, M., Wurzinger, P., Kruegel, C., Kirda, E.: Defending browsers against drive-by downloads: mitigating heap-spraying code injection attacks. In: Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), Milan, Italy (2009)

  28. Gu, B., Bai, X., Yang, Z., Champion, A.C., Xuan, D.: Malicious shellcode detection with virtual memory snapshots. In: International Conference on Computer Communications (INFOCOM), San Diego, California, pp. 974–982 (2010)

  29. Intel Architecture Software Developer’s Manual, vol. 2: Instruction Set Reference. http://download.intel.com/design/intarch/manuals/24319101.pdf. Accessed 15 Dec 2011

  30. Win32 Assembly Components: The Last Stage of Delirium Research Group. http://lsd-pl.net/projects/ (2002). Accessed 15 Dec 2011

  31. Charlier, B.L., Mounji, A., Swimmer, M., Informatik, F.: Dynamic detection and classification of computer viruses using general behavior patterns. In: Proceedings of the 5th International Virus Bulletin Conference, pp. 75–88 (1995)

  32. Bilar, D.: Opcode as predictors for malware. Proc. Int. J. Electron. Secur. Digit. Forensics 1(2), 156–168 (2007)

    Article  Google Scholar 

  33. Muttik, I.: Stripping down an AV engine. In: Virus Bulletin Conference (2000)

  34. Santos, I., Brezo, F., Nieves, J., Penya, Y., Sanz, B., Laorden, C., Bringas, P.G.: Idea: opcode sequence-based malware detection. In: Proceedings of the Engineering Secure Software and Systems, LNCS, vol. 5965, pp. 35–43 (2010)

  35. libdisasm: x86 Disassembler Library. Retrieved: September 22, 2011, from: http://bastard.sourceforge.net/libdisasm.html (2011). Accessed 22 Sep 2011

  36. Wepawet. http://wepawet.iseclab.org/

  37. jsunpack: A Generic JavaScript Unpacker. http://jsunpack.jeek.org/

  38. Malware Domain List. http://www.malwaredomainlist.com

  39. Metasploit: Rapid7. http://www.metasploit.com. Accessed 15 May 2012

  40. Alexa: Top Sites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

  41. Lee, J.H., Lin, C.J.: Automatic Model Selection for Support Vector Machines. Department of Computer Science and Information Engineering, National Taiwan University, Technical Report (2000)

  42. Cherkassy, V.: Model complexity control and statistical learning theory. J. Nat. Comput. 1, 109–133 (2002)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Srinivas Mukkamala.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Cherukuri, M., Mukkamala, S. & Shin, D. Detection of shellcodes in drive-by attacks using kernel machines. J Comput Virol Hack Tech 10, 189–203 (2014). https://doi.org/10.1007/s11416-013-0195-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-013-0195-2

Keywords

Navigation