상세정보
학술대회
Lightweight Static Analysis to Detect Polymorphic Exploit Code with Static Analysis Resistant Technique
- 발행일
- 200906
- 출처
- International Conference on Communications (ICC) 2009, pp.1-6
- 협약과제
- 08MS2100, Network 위협의 Zero-Day Attack 대응을 위한 실시간 공격 Signature 생성 및 관리 기술개발, 장종수
- 초록
- The general method in which attackers obtain the control authority of the remote host is through the exploit code. As network security systems have mounted the desired signatures about exploits, they have reduced damage due to the spreading and reoccurrence of the exploits. However, to avoid signature-based detection techniques, exploits employing techniques such as polymorphism and metamorphism have become more prevalent. Especially in the case of polymorphism, because there are many automation engines even if there is no special knowledge in order to make various exploits easily, the polymorphism researches need to be more actively studied. We present a new static analysis method for detecting the decryption routine of polymorphic exploit code. Most of decryption routines store the program counter value of remote host on a stack and use the value as the address for accessing the memory that the encrypted original code is positioned. The proposed method traces the processing steps of decryption routine as using the static analysis method. In the results of experiment, the proposed method can detect polymorphic exploit codes that the static analysis resistant techniques are used, and shows more efficient than the emulation-based method in the processing performance. ©2009 IEEE.
- KSP 제안 키워드
- Analysis method, General method, Program counter, control authority, detection techniques, network security, processing performance, security system, signature-based detection, static analysis