Research On Shellcode Detection And Location Technology Based On Network Data Stream

With the rapid development of the Internet,network services and applications have penetrated into all aspects of society.However,network intrusion events of various major websites emerge one after another,network security is not only a topic of concern for every network user,but has even become a new force support for national strategy.Faced with the increasingly severe network environment,network intrusion detection technology has received much attention.An important method of intrusion detection is to identify the attack code,Shellcode is one of the main types which is often used to perform malicious functions in exploits while the buffer overflow vulnerability is one of the typical scenarios.So far,there have been a variety of methods for detecting Shellcode,the two mainstream methods are static detection and simulation execution.However,existing detection algorithms have many limitations,the popular simulation methods seriously slow down the efficiency,while static detection can not guarantee the accuracy of detection.Artificial intelligence has strong learning ability and generalization ability,and has been widely applied to many fields.Therefore,intrusion detection combined with artificial intelligence has become a research hotspot.The work of this thesis is as follows.In this thesis,we propose a Shellcode detection method based on convolutional neural network,which has acceptable detection speed and accuracy compared with the existing simulation-based method.We designed a variety of Shellcode probes which is used to match a sequence of key words to filter benign data and obtain Shellcode candidates,then convolutional neural network uses the static feature extracted from the Shellcode fragment to classify candidates.In order to improve the detection performance,we use the alignment strategy to reduce the spatial dimension of the feature vector,and adopt a special disassembly method to extract features.In addition,for the lack research of Shellcode positioning at the present stage,this thesis proposes a new method based on static register mode analysis.The Shellcode instructions rely heavily on contextual information,so we use a static disassembly method to capture the association between instructions.The use of registers shows the correlation between instructions,we design serval extraction schemes to capture the fine-grained use of registers and then detect the presence of suspicious code logic in the data based on the designed malicious mode.Based on the above,we design and implement a prototype system to detect Shellcode from the data stream for optional targets and data requirement.Experiments show that the proposed detection method has a very low false positive rate while ensuring the accuracy of %96.2,and the positioning method of this thesis also has great potential,which can show better ability when combined with Shellcode detection method.Compared with Libemu and SBE methods,the proposed method is more efficient and can detect more kinds of malicious code,such as plain shellcode,encrypted shellcode and,etc.