Home // AICT 2013, The Ninth Advanced International Conference on Telecommunications // View article

Signature Generation Based on Executable Parts in Suspicious Packets

Authors:
Daewon Kim
Jeongnyeo Kim
Hyunsook Cho

Keywords: network security; intrusion detection system; intrusion prevention system; malicious code; exploit code; worm code

Abstract:
Generally, attackers obtain the control authority of a remote host through the exploit/worm codes with some executable parts. The majority of the codes are still made of the codes which can be executed directly by CPU of the remote host without some decryptions. We focused on the fact that some parts in the exploit/worm codes include the function call related instruction patterns. In some suspicious packets with the exploit/worm codes, the function call instruction parts can be important information to generate the signature of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) for blocking the packets with the exploit/worm. In this paper, we propose the approach that detects the instruction patterns following the function call mechanism in some suspicious packets and generates a signature including the specific pay-load positions within the pattern-detected packets. We have implemented a prototype and evaluated it against a variety of the executable and non-executable codes. The results show that the proposed approach properly classifies the executable and non-executable codes and can generate the high-qualified sig-nature based on the analyzed results.

Pages: 166 to 169

Copyright: Copyright (c) IARIA, 2013

Publication date: June 23, 2013

Published in: conference

ISSN: 2308-4030

ISBN: 978-1-61208-279-0

Location: Rome, Italy

Dates: from June 23, 2013 to June 28, 2013