Research On Detection Methods Of Exploit Programs In Network Traffic Based On Control Flow Graph

With the progress of society and the development of the times,computers and various industries in the society are becoming more and more closely integrated.The exploit programs existing in network traffic that can cause harm to computers has become the current non-negligible threats.The detection of exploit programs in network traffic has become a research hotspot for domestic and foreign researchers.In the recent years of research on exploit programs,researchers have proposed many approaches to protect and detect exploit programs.These approaches have achieved certain in practical applications.Although the current detection and protection approaches of exploit programs in network traffic has achieved certain results,in the aspect of exploit programs for abnormal jumps,the current research on the analysis of exploit program characteristics and the detection framework of exploit programs are insufficient,mainly reflected in the following two aspects: Firstly,the current description of the characteristics of the exploit program is still at a relatively primitive level,it can't reflect the essence of the characteristics of the exploit program,and the description of the characteristics of the exploit program lacks a mature achievements.Secondly,the current researches lack the method of detection of the exploit program that through the perspective of the model,the existing detection methods mainly through add the identification id in the code,and determine the legitimacy of the control flow by detecting the identification id before dynamic execution.The researches lack an exploit detection model that can describe the characteristics of an exploit.In view of the above problems,this paper has carried out the research on exploit detection in network traffic.The main work is as follows:1.This paper analyzes the characteristics of the exploit program,and proposes a detection method of the exploit program that based on the characteristics of the exploit program.After reading a lot of existing research literature on the research of exploit programs,combines with the existing Control Flow Graph(referred to as CFG),and put the features of the exploit program,jump instruction characteristics and other characteristics into CFG,a Control Flow Graph based Jump(referred to as JCFG)is proposed.The formal description of the instruction nodes in the exploit program that maybe cause an abnormal jump is introduced,and the various module architectures that form the JCFG diagram are introduced and explained in detail.The methods of generating IDA control flow diagram and JCFG diagram are mainly introduced in this paper.2.This paper builds a vulnerability detection framework and implements a JCFGbased vulnerability detection method.Firstly,the thesis proposes the definition of the exploit program characteristics of the exploit program that jumped abnormally according to the previous JCFG diagram and the relevant constraints for abnormal jump.Secondly,collecting dynamic and static detection information of the exploit program,combines with existing vulnerability detection methods,and control-flow-integrity detection method(referred to as CFI),Vulnerability Exploit Detection Method based on JCFG(referred to as JCFG-VEDM)is proposed.This paper mainly describes the formalities of the exploit program during the dynamic execution of the exploit program,and through the execution of key instructions,the corresponding execution node is obtained by information extraction and combine with the characteristics of the exploit program,the relevant definitions and constraints of the exploit detection function are proposed.The Vulnerability Exploit Detection Algorithm based on JCFG is mainly studied in this paper.3.A prototype system is designed and implemented based on the detection method of vulnerability exploit program in network traffic and the features of vulnerability exploit program.Through following three modules of the system: traffic monitoring module,JCFG generation module and vulnerability exploitation program judgment module.The vulnerability exploit program in network traffic is detected,and the effectiveness of proposed method can be verified.