Table of Contents Author Guidelines Submit a Manuscript
Security and Communication Networks
Volume 2018, Article ID 2063089, 10 pages
https://doi.org/10.1155/2018/2063089
Research Article

A Novel Immune-Inspired Shellcode Detection Algorithm Based on Hyperellipsoid Detectors

1Institute of Information Technology and Network Security, People’s Public Security University of China, Beijing, China
2Collaborative Innovation Center of Security and Law for Cyberspace, Beijing, China

Correspondence should be addressed to Tianliang Lu; moc.621@531ltl

Received 21 October 2017; Accepted 31 January 2018; Published 28 February 2018

Academic Editor: Paolo D'Arco

Copyright © 2018 Tianliang Lu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Abstract

Shellcodes are machine language codes injected into target programs in the form of network packets or malformed files. Shellcodes can trigger buffer overflow vulnerability and execute malicious instructions. Signature matching technology used by antivirus software or intrusion detection system has low detection rate for unknown or polymorphic shellcodes; to solve such problem, an immune-inspired shellcode detection algorithm was proposed, named ISDA. Static analysis and dynamic analysis were both applied. The shellcodes were disassembled to assembly instructions during static analysis and, for dynamic analysis, the API function sequences of shellcodes were obtained by simulation execution to get the behavioral features of polymorphic shellcodes. The extracted features of shellcodes were encoded to antigens based on -gram model. Immature detectors become mature after immune tolerance based on negative selection algorithm. To improve nonself space coverage rate, the immune detectors were encoded to hyperellipsoids. To generate better antibody offspring, the detectors were optimized through clonal selection algorithm with genetic mutation. Finally, shellcode samples were collected and tested, and result shows that the proposed method has higher detection accuracy for both nonencoded and polymorphic shellcodes.