Shellcode detection method based on virtual execution

A technology of virtual execution and code detection, applied in the field of network information security, can solve the problems of insufficient detection success rate and insufficient detection speed of static detection technology

Inactive Publication Date: 2011-10-19
THE THIRD RES INST OF MIN OF PUBLIC SECURITY
View PDF0 Cites 6 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0005] With the application of polymorphic technology in attack code, static detection technology gradually shows insufficient detection success rate
The dynamic virtual execution method has a good detection effect on Shellcode using polymorphic technology, but there are some shortcomings in the detection speed

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Shellcode detection method based on virtual execution
  • Shellcode detection method based on virtual execution
  • Shellcode detection method based on virtual execution

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0024] In order to make it easy to understand the technical means, creation features, achieved goals and effects of the present invention, the present invention will be further described below with reference to the specific figures.

[0025] The virtual execution-based attack code detection method provided by the present invention adopts the dynamic virtual execution technology, and includes the following steps:

[0026] (1) Scan the network byte stream and determine whether there is a relocation instruction;

[0027] (2) After the relocation instruction is scanned, the virtual machine is initialized, and the network byte stream is put into the virtual machine for controlled execution from this instruction. The virtual machine in this step is a process filled with nop instructions, and the load address is Configurable;

[0028] (3) During the virtual execution process, the state of the virtual execution is dynamically monitored, and whether there is an attack code is judged a...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses a Shellcode detection method based on virtual execution, which comprises the following steps of putting a network byte stream in a virtual machine to be subject to controlled execution, monitoring the execution process, and judging whether the Shellcode exists or not according to the characteristics existing in the execution process. For the Shellcode using polymorphic technology, a user can get good detection effect by using the method, and the information safety of the user can be ensured.

Description

technical field [0001] The invention relates to a network information security technology, in particular to a network attack code detection method. Background technique [0002] Buffer overflow attack is one of the most important security problems in recent years. Attackers use buffer overflow vulnerabilities to execute remote code to achieve the purpose of attack. [0003] Shellcode, as a piece of code sent to the target, is often the vector of buffer overflow attacks. Therefore, Shellcode detection is an effective means of buffer overflow attack detection. [0004] Traditional Shellcode detection technology can be divided into two types: static and dynamic. The static detection method is to extract features from the data stream, and then judge whether there is Shellcode according to the features, such as signature-based detection tools Snort and Bro, etc. The dynamic detection method generally adopts simulation execution. [0005] With the application of polymorphism te...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06G06F21/00G06F21/53G06F21/55
Inventor 林九川杭强伟赵帅宋铮姚伟
Owner THE THIRD RES INST OF MIN OF PUBLIC SECURITY
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap