Signature Generation Based on Executable Parts in Suspicious Packets

Provided by: IARIA
Topic: Security
Format: PDF
Generally, attackers obtain the control authority of a remote host through the exploit/worm codes with some executable parts. The majority of the codes are still made of the codes which can be executed directly by CPU of the remote host without some decryptions. The authors focused on the fact that some parts in the exploit/worm codes include the function call related instruction patterns. In some suspicious packets with the exploit/worm codes, the function call instruction parts can be important information to generate the signature of Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) for blocking the packets with the exploit/worm.

Find By Topic