A Novel Immune-Inspired Shellcode Detection Algorithm Based on Hyperellipsoid Detectors

الملخص EN

Shellcodes are machine language codes injected into target programs in the form of network packets or malformed files.

Shellcodes can trigger buffer overflow vulnerability and execute malicious instructions.

Signature matching technology used by antivirus software or intrusion detection system has low detection rate for unknown or polymorphic shellcodes; to solve such problem, an immune-inspired shellcode detection algorithm was proposed, named ISDA.

Static analysis and dynamic analysis were both applied.

The shellcodes were disassembled to assembly instructions during static analysis and, for dynamic analysis, the API function sequences of shellcodes were obtained by simulation execution to get the behavioral features of polymorphic shellcodes.

The extracted features of shellcodes were encoded to antigens based on n-gram model.

Immature detectors become mature after immune tolerance based on negative selection algorithm.

To improve nonself space coverage rate, the immune detectors were encoded to hyperellipsoids.

To generate better antibody offspring, the detectors were optimized through clonal selection algorithm with genetic mutation.

Finally, shellcode samples were collected and tested, and result shows that the proposed method has higher detection accuracy for both nonencoded and polymorphic shellcodes.