CAJ | 학술논문

在以往的多态shellcode检测方法中，基于模拟的动态检测方法主要针对多态shellcode的解码器部分进行检测。尽管这样的检测方法可以在一定程度上检测出目标，但其性能和抗攻击性较差。为了进一步提高检测准确率并降低误报率，在已有的基于模拟的动态检测方法基础上进行了改进，引入了shellcode行为模式匹配机制，按照条件将多态shellcode解码后的行为与常见的攻击行为模式进行匹配，以判断并定位有效负载的位置。最后借助于Libemu系统对上述方法进行了实现和测试，从Metasploit和Nepenthes中提取shellcode样本，并使用编码器生成多态样本，从检测率和误报率两方面对方法进行了检验，实验证明了该方法有更高的有效性与稳定性。
재이왕적다태shellcode검측방법중，기우모의적동태검측방법주요침대다태shellcode적해마기부분진행검측。진관저양적검측방법가이재일정정도상검측출목표，단기성능화항공격성교차。위료진일보제고검측준학솔병강저오보솔，재이유적기우모의적동태검측방법기출상진행료개진，인입료shellcode행위모식필배궤제，안조조건장다태shellcode해마후적행위여상견적공격행위모식진행필배，이판단병정위유효부재적위치。최후차조우Libemu계통대상술방법진행료실현화측시，종Metasploit화Nepenthes중제취shellcode양본，병사용편마기생성다태양본，종검측솔화오보솔량방면대방법진행료검험，실험증명료해방법유경고적유효성여은정성。
Being part of conventional methods of detecting polymorphic shellcode,dynamic detection methods based on simu-lation mainly concentrated on the decoder of the polymorphic shellcodes.Although these detection methods could detect the targets to some extent,but its properties and resistance to attack were poor.To further improve the accuracy of the detection, this paper developed a method based on dynamic testing on the basis of the existing emulation-based methods and introduced the shellcode behavior pattern matching mechanism.In the mechanism,it conducted matches between the behaviors of deco-ded polymorphic shellcodes and existed patterns in accordance with the given conditions to determine and locate the payloads’ locations.By means of the Libemu emulator system,it performed implementation and testing with samples extracted from Meta-sploit and Nepenthes,and used encoders to generates polymorphic samples.Finally it tested the detection rate and positive false rate.The result proves that the method has a higher effectiveness and stability.