| With the development of information technology, cyberspace has been as important as the land, sea, air and space. The confrontation in cyberspace has become more and more intense. Using vulnerabilities to attack is one of the most common behavior in the cyberspace, and the ODay vulnerabilities is the most effective. So ODay vulnerabilities is an efficient and widely used method in the high-level cyberspace’s confrontation, it’s very important to research on ODay vulnerability detection.In this paper, we conducted an survey of the current status of cyberspace security, the traditional vulnerability detection techniques and the ODay vulnerability detection techniques. Based on the survey, we found that research on formatted document vulnerability still exist many problems, such as the poor effect of feature detection, low efficiency of ODay detection and the lack of specific on document, and the formatted document’s ODay vulnerability is one of the most attack method in the cyberspace, so we made the focus on the0Day vulnerability detection of formatted document. The shellcode detection technology and the virtual execution technology is the focus of our research.In this paper, our target document types are PDF documents, Microsoft Office documents, RTF documents, and MIME type documents.The main works of this paper can be summarized as follows:1.we analyzed different vulnerability detection technology, especially the ODay vulnerability detection technology, then we decided to use the idea that we can detect vulnerability through the attack payload detection to detect formatted document’s vulnerability. We proposed a model which based on the malicious document detection and the vulnerability signature to detect the formatted document’s ODay vulnerability.2.In our model, the first step is to analyze the file structure, and then reorganize the document’s content. After that we use the disassembling technology and the virtual execution technology to detect the shellcode. The principle is that shellcode is limited in document file and if we found a shellcode in a document, we can confirm the document is an malicious document used some kind of vulnerability. Finally we use the vulnerability signature to check out weather we got a0Day vulnerability or not.3.Based on the model we proposed, we designed and implemented a formatted documents’ODay vulnerability detection system in B/S architecture, and explained the implementation of each module in detail, especially explained the formatted documents’structure analysis and the shellcode detection.4.In our system, we combined three antivirus engine to implement a integrated antivirus system as a sub system. The sub system is the module of our vulnerability detection model’s vulnerability signature verification module, and it can independently run. We used the integrated antivirus system to help us check our malicious detection module’s result.5.In the paper, most of our samples come from the really internet’s data and some of our samples is constructed by tools. We used those samples to check our model, the result showed that our model have good ability of detection document vulnerability and can check out the malicious document with0Day vulnerability. |
PDF Full Text Request