动静结合的攻击代码检测方法

缓冲区溢出攻击是近年来最主要的安全问题之一，攻击者利用缓冲区溢出漏洞执行远程代码，从而达到攻击的目的。Shelleode作为攻击的载体，是缓冲区攻击检测的主要对象。随着检测技术的发展，攻击者更倾向于使用多态技术对Shellcode进行加密来绕过IDS的检测。针对MS Windows操作系统下的Shellcode，提出了一种将静态检测和动态执行相结合的新的攻击代码检测方法。在判断依据上做了新的定义，既使用动态模拟技术提高了对使用多态技术的Shellcode的检侧率，也兼顾了检测的效率。基于该方法，设计和实现了一套原型系统，并进行了检测率、误报率和吞吐率等方面的测试。测试结果表明，该系统在检测Shellcode的准确率和性能方面都达到了令人满意的效果。

Method of Shellcode Detection Based on Static and Dynamic Mechanism

Buffer overflow attack has been a major security problem in recent years,where attackers utilize buffer overflow vulnerabilities to control other computers. As the vehicle of attack, Shellcode is the main target of buffer overflow attack detections. Now attackers tend to employ polymorphic techniques to encode Shellcode, which makes it harder for signature-based NIDS to detect it, This paper proposed a new method to detect the Shellcode executed under MS Windows, which integrates static analysis and dynamic execution techniques. It made some new principles of Shellcode detection, which enhance both the accuracy and performance of polymorphic Shellcode detection.Then a prototype system was implemented and tested. The test results on both the accuracy and performance are quite encouraging.