《计算机应用研究》|Application Research of Computers

基于人工免疫理论的shellcode检测方法

Method for shellcode detection based on artificial immune theory

免费全文下载 (已被下载 次)  
获取PDF全文
作者 芦天亮,蔡满春,高见
机构 中国人民公安大学 a.信息技术与网络安全学院;b.网络空间安全与法治协同创新中心,北京 100038
统计 摘要被查看 次,已被下载
文章编号 1001-3695(2018)08-2409-03
DOI 10.3969/j.issn.1001-3695.2018.08.042
摘要 Shellcode是缓冲区溢出漏洞攻击的核心代码部分,往往嵌入到文件和网络流量载体中。针对特征码匹配等检测手段存在时间滞后、准确率低等问题,结合人工免疫理论,提出一种采用实值编码的shellcode检测方法。收集shellcode样本并进行反汇编,利用n-gram模型对汇编指令序列提取特征生成抗原,作为免疫系统未成熟检测器来源,之后经历阴性选择算法的免疫耐受过程生成成熟检测器。对检测器进行克隆和变异,繁衍出更加优良的后代,提高检测器的多样性和亲和度。实验结果表明,该方法对非编码shellcode和多态shellcode均具有较高的检测准确率。
关键词 人工免疫系统;shellcode检测;阴性选择算法;克隆选择算法
基金项目 国家自然科学基金资助项目(61602489)
国家重点研发计划“网络空间安全”重点专项资助项目(2017YFB0802804)
赛尔网络下一代互联网技术创新项目(NGII20160405)
本文URL http://www.arocmag.com/article/01-2018-08-042.html
英文标题 Method for shellcode detection based on artificial immune theory
作者英文名 Lu Tianliang, Cai Manchun, Gao Jian
机构英文名 a.CollegeofInformationTechnology&NetworkSecurity,b.CICofSecurity&LawforCyberspace,People'sPublicSecurityUniversityofChina,Beijing100038,China
英文摘要 Shellcode is the core part of buffer overflow attacks, often is embedded in the files and network traffic.The signature code matching detection means have exposed some problems, such as time delays, low accuracy and so on.According to the artificial immune theory, this paper developed a real valued encoding based detection method for shellcode.As one source of immature detectors, the proposed method disassembled the collected shellcode samples and extracted the features from instruction sequence based on n-gram model.The immature detectors became mature detectors after immune tolerance using negative selection algorithm.To increase the diversity and affinity, the detectors were cloned and mutated to proliferate better offspring.Experimental result shows that the proposed method has higher detection accuracy for both non-encoded shellcode and polymorphic shellcode.
英文关键词 artificial immune system; shellcode detection; negative selection algorithm; clonal selection algorithm
参考文献 查看稿件参考文献
  [1] Zhao Ziming, Ahn G J. Using instruction sequence abstraction for shellcode detection and attribution[C] //Proc of the 1st IEEE Conference on Communications and Network Security. Piscataway, NJ:IEEE Press, 2013:323-331.
[2] Verma N, Mishra V, Singh V P. Detection of alphanumeric shellcodes using similarity index[C] //Proc of International Conference on Advances in Computing, Communications and Informatics. Piscataway, NJ:IEEE Press, 2014:1573-1577.
[3] Lukan D. Shellcode detection and emulation with Libemu[EB/OL] . (2014-07-29)[2017-04-19] . http://resources. infosecinstitute. com/shellcode-detection-emulation-libemu/.
[4] 罗杨, 夏春和, 李亚卓, 等. 一种基于多模式虚拟机的多态shellcode检测方法[J] . 计算机研究与发展, 2014, 51(8):1704-1714.
[5] Polychronakis M, Anagnostakis K G, Markatos E P. Network-level polymorphic shellcode detection using emulation[C] //Proc of the 3rd International Conference on Detection of Intrusions and Malware and Vulnerability Assessment. Berlin:Springer-Verlag, 2006:54-73.
[6] Brown J, Anwar M, Dozier G. Detection of mobile malware:an artificial immunity approach[C] //Proc of IEEE Security & Privacy Workshops. Piscataway, NJ:IEEE Press, 2016:74-80.
[7] Abas E A E R, Abdelkader H, Keshk A. Artificial immune system based intrusion detection[C] //Proc of the 7th IEEE International Conference on Intelligent Computing and Information Systems. Piscataway, NJ:IEEE Press, 2015:542-546.
[8] Forrest S, Perelson A S, Allen L, et al. Self-nonself discrimination in a computer[C] //Proc of IEEE Symposium on Research in Security and Privacy. Piscataway, NJ:IEEE Press, 1994:202-212.
[9] De Castro L N, Von Zuben F J. The clonal selection algorithm with engineering applications[C] //Proc of Genetic and Evolutionary Computation Conference on Artificial Immune Systems and Their Applications. 2000:36-42.
[10] De Castro L N, Von Zuben F J. Learning and optimization using the clonal selection principle[J] . IEEE Trans on Evolutionary Computation, 2002, 6(3):239-251.
[11] Zhao Xinchao, Liu Guoli, Liu Huqiu, et al. A new clonal selection immune algorithm with perturbation guiding search and non-uniform hypermutation[J] . International Journal of Computational Intelligence Systems, 2010, 3(1):1-17.
[12] Pedregosa F, Varoquaux G, Gramfort A, et al. Scikit-learn:machine learning in Python[J] . Journal of Machine Learning Research, 2011, 12(10):2825-2830.
收稿日期 2017/5/1
修回日期 2017/6/15
页码 2409-2411,2416
中图分类号 TP309.2
文献标志码 A