网络流量中漏洞利用程序的识别和分类

Vulnerabilities are well known as the most serious thread of information system and play a key role in Advanced Persistent Threat(APT). It is hard for current defense system to detect and analyze the attack vectors used by hackers, which are usually cross-platforms and constructed by multi-vulnerabilities. There is a demand urgently for network-based vulnerability detection technology. In our research, we focus on the major problems: “difficult to analyze and extract features, since the exploits are too complex”, “analysis of one instance of a vulnerability exploit does not help us deal with a multiple constructed attach vector exploiting the same vulnerability”. We build models of typical vulnerability and corresponding exploit, by performing an analysis of their inner logic and relationship between behaviors. We also build models of vulnerability exploits to improve the efficiency and capacity of analyzing internal mechanism of exploits, by solving the problem of proposing methods to form a model of multiple characteristics. With models mentioned above, we develop a new fine-grained dynamic analysis technique to analyze complex vulnerabilities and multi-vulnerability attack. By measuring the similarity among instruction sequences and vulnerability exploit models, we divide exploit samples into several clusters and form a method of deducing signatures from these clusters, to improve the capacity of detection and analysis of Zero-Day attack and vulnerability exploit variants. Finally, we will complete the development of proto-type system to evaluate our research, form a complete theoretical and technical framework, and play a part in cyberattack defense. This project is expected to play a catalytic role in analyzing and defending known or unknown virtualization-obfuscated malware variants and professional malware developed by organized attackers. Moreover, it is also useful to improve the security of our critical information system.

软件漏洞是信息安全的主要威胁，也是APT攻击的核心要素，漏洞攻击已经进入跨平台的多目标多漏洞组合攻击阶段，对现有基于主机和特征检测的防御体系形成极大威胁，亟需突破针对网络流量中的漏洞利用分析与检测问题。本项目针对网络流量中漏洞利用分析检测所面临的漏洞机理复杂导致特征提取困难、组合与代码混淆方式多样导致已知特征难以支撑未知漏洞利用检测等问题，研究漏洞利用建模、利用代码族类特征提取、组合漏洞利用分析与基于族类特征的漏洞检测等方法，重点提升未知漏洞利用检测与组合漏洞利用分析能力，形成一套漏洞利用检测、分析和分类方法。最终基于项目理论研究成果研发原型系统，形成完整的理论和技术框架，在验证方法正确性的同时为实际工作提供支撑。该研究对于提高漏洞攻击检测与分析能力，尤其是具有国家背景的组织研发的漏洞攻击程序的分析和防御能力，防范对我国重要信息系统的攻击，具有重要的现实意义。

软件漏洞是信息安全的主要威胁，也是APT攻击的核心要素，漏洞攻击已经进入跨平台的多目标多漏洞组合攻击阶段，对现有基于主机和特征检测的防御体系形成极大威胁，亟需突破针对网络流量中的漏洞利用分析与检测问题。本项目针对网络流量中漏洞利用分析检测所面临的漏洞机理复杂导致特征提取困难、组合与代码混淆方式多样导致已知特征难以支撑未知漏洞利用检测等问题，研究漏洞利用建模、利用代码族类特征提取、组合漏洞利用分析与基于族类特征的漏洞检测等方法，重点提升未知漏洞利用检测与组合漏洞利用分析能力，形成一套漏洞利用检测、分析和分类方法。项目研发了原型系统，验证了方法正确性，同时为实际工作提供支撑。项目发表论文8篇，申请专利7项，完成了预期研究目标。