基于异常控制流识别的漏洞利用攻击检测方法

为应对APT等漏洞利用攻击的问题,提出了一种基于异常控制流识别的漏洞利用攻击检测方法.该方法通过对目标程序的静态分析和动态执行监测,构建完整的安全执行轮廓,并限定控制流转移的合法目标,在函数调用、函数返回和跳转进行控制流转移时,检查目标地址的合法性,将异常控制流转移判定为漏洞攻击,并捕获完整的攻击步骤.实验结果表明,该方法能够准确检测到漏洞利用攻击,并具备良好的运行效率,可以作为漏洞利用攻击的实时检测方案.

Exploit detection based on illegal controlflow transfers identification

In order to deal with exploit attacks such as APT,an approach was proposed to detect exploits based on illegal control flow transfers identification.Both static and dynamic analysis methods were performed to construct the CFSO (control flow safety outline),which was used to restrict the targets of control flow transfers occurred during the target program's running.When a call/ret/jmp was about to execute,the target was checked according to the CFSO.The illegal control flow transfer is considered as an exploit attack and all the following attacking steps could be captured.The ex-periment also showed that proposed method had decent overhead and could be applied to detect exploits online.