Open AccessShellcode Location Based on Register Information Flow
Author(s) -
Shuang Yu,
Hongyu Kuang,
Jian Wang
Publication year - 2019
Publication title -
journal of physics. conference series
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.21
H-Index - 85
eISSN - 1742-6596
pISSN - 1742-6588
DOI - 10.1088/1742-6596/1345/4/042017
Subject(s) - computer science , executable , byte , static analysis , focus (optics) , code (set theory) , system call , data mining , operating system , programming language , physics , set (abstract data type) , optics
Due to the high detection accuracy of dynamic simulation in which network traffic is sent to the emulator as executable code to detect suspicious behaviour, static analysis has become less popular. Earlier static shellcode detection methods are mainly based on statistical method which focus on instruction abstract features or byte patterns. Although these method can be used for detection, it can’t guarantee the detection effect. It is hard for both of them to locate the position of shellcode. However, a new static analysis based approach is proposed in this paper. The shellcode instructions rely heavily on contextual information, so we use static disassembly to capture the fine-grained malicious mode of registers. In order to enhance the detection performance, several rules are designed based on the characteristics of the shellcode. Experimental results show that our method has certain potential, which may show better effects when combined with other shellcode detection methods.