近幾年來，網路攻擊的手法不斷翻新，作業系統與應用軟體也不斷嘗試加入各項安全防護機制，以應付各種新類型的攻擊技術。以目前駭客常用來入侵個人電腦的途徑不外乎透過使用者上網瀏覽惡意網頁以及透過郵件夾帶惡意文件攻擊的方式，來作為散佈惡意程式之用。Google曾經公佈的惡意網頁研究報告中指出，在約450萬個網站中，有10%左右的惡意網站會對瀏覽器產生危害，而依據防毒大廠賽門鐵克的報告，惡意PDF文件攻擊在2010年已佔所有郵件攻擊的65%，顯然惡意網頁及惡意PDF文件已成為惡意軟體散佈的重要途徑。由於目前惡意網頁及惡意PDF文件所使用的攻擊技術皆為以Javascript為基礎的堆積擴展填充攻擊，綜觀相關研究，大都針對網路攻擊作特徵比對或是模擬執行的效率不高，有鑑於此，本研究提出適合於快速、具通用性且高精準性的偵測堆積擴展填充方式。

In recent years, the way the ever-changing network attacks, operating system and application software also been trying to join the security protection mechanisms to cope with new types of attack techniques. Hackers used to invade the present approach is nothing more than personal computer users to browse the Internet through a malicious Web page and through e-mail attacks, malicious file attachment method to be used as a spread malware. Google has released a malicious Web page research report that in about 450 million Web sites, 10% of the malicious Web site the browser will cause harm, and according to the report of Symantec, malicious attacks on PDF files accounted for 65% in 2010of al, malicious web pages and malicious PDF files have become an important way to spread malware. Due to the attack technique used by current PDF file and malicious Web page is via Javascript with heapspray, an overview of related research, most of the attacks against the network for feature matching or the efficiency of simulation execution is not high, light , This study is suitable for rapid, universal and high accuracy to detect heapspray.

[1] Alexa Top 500 rank. http://www.alexa.com/site/ds/top_sites?ts_mode=global&lang=none.
[2] P. Akritidis, E. P. Markatos, M. Polychronakis, and K. G. Anagnostakis, “STRIDE: Polymorphic Sled Detection through Instruction Sequence Analysis,” Proceedings of Security and Privacy in the Age of Ubiquitous Computing. Springer, 2005.
[3] Adobe, “Security updates available for Adobe Reader and Acrobat,” http://www.adobe.com/support/security/bulletins/apsb10-21.html, 2010.
[4] Contagiodump http://contagiodump.blogspot.com/2010/08/malicious-documents-archive-for.html
[5] Y.H. Choi, T.G. Kim, and S.J. Choi, ”Automatic Detection for Javascript Obfuscation Attacks in Web Pages through String Pattern Analysis,” International Journal of Security and Its Applications, 4(2), pp.13-26, April 2010
[6] M. Cova, C. Kruegel, and G. Vigna, “Detection and Analsis of Drive by Download Attacks and Malicious Javascript Code,” Management of Computing and Information Systems, April 2010.
[7] A. Dewald, T. Holz, and F. Freiling, “ADSandbox:Sandboxing Javascript to fight Malicious Websites,” Processding of ACM Symposium on Applied Computing (SAC), 2010.
[8] Y. Ding, T. Wei, T. Wang, Z. Liang, and W. Zou, ”Heap Taichi: Exploiting Memory Allocation Granularity in Heap-spraying Attacks,” Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC), 2010.
[9] M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, ”Defending browsers again-st drive-by downloads : mitigating heap-spraying code injection attacks, ” In72 Page 78 BIBLIOGRAFIA73DIMVA 2009, 6th International Conference on Detection of Intrusions and Malware e Vulnerability Assessment, July 9-10, 2009, Milan, Italy, also published inSpringer LNCS, July 2009.
[10] B. Feinstein and D.Peck, “Caffeine Monkey: Automated Collection, Detection and Analysis of Malicious Javascript,” BlackHat USA, 2007.
[11] D.J. Guan and J.S. Luo, “Malicious Web Page Detection Based on Anomaly Semantics,” Augest 2009.
[12] F. Gadaleta, Y. Younan, and W. Joosen, “Bubble: a Javascript engine level counter-measure against heap-spraying attacks,” In ESSoS. Springer Berlin / Heidelberg, January 2010.
[13] G. Hunt and D. Brubacher, “Detours: Binary interception of Win32 functions,” Proceedings of the USENIX Windows NT Symposium, 1999.
[14] O. Hallaraker and G.Vigna,“Detecting Malicious Javascript Code in Mozilla,” Proceedingsof the 10th IEEE International Conferenceon Engineering of Complex Computer Systems(ICECC2005), 2005.
[15] M. Howard, “Address Space Layout Randomization in Windows Vista,” http://blogs.msdn.com/b/michael_howard/archive/2006/05/26/address-space-layout-randomization-in-windows-vista.aspx, 2006.
[16] A.Ikinci,T.Holz,and F.Freiling, “MonkeySpider: Detecting Malicious Websites with LowInteraction Honeyclients,” Proceedings of Sicherheit 2008, 2008.
[17] Kolisar, “WhiteSpace:A Different Approach to Javascript Obfuscation, ” DEFCON 16, August 2008.
[18] P.Komisarczuk, C.Seifert, and I. Welch, “ Identification of Malicious Web Pages with Static Heuristics, ” In Telecommunication Networks and Applications Conference, 2008
[19] D.Kim, I.Kim, J. Oh, and H. Cho, “Lightweight Static Analysis to Detect Polymorphic Exploit Code with Static Analysis Resistant,” IEEE ICC, 2009
[20] Libemu – x86 Shellcode Emulation，http://libemu.carnivore.it/.
[21] Metasploit. http://www.metasploit.com/.
[22] Mozilla. Spidermonkey — Mozilla, Mozilla’s C implementation of Javascript.http://www.mozilla.org/js/spidermonkey/.
[23] A. Moshchuk, T. Bragin, D. Deville, S. D. Gribble, and H. M. Levy, “Spyproxy: Execution-based Detection of Malicious Web Content,” USENIX Security, 2007.
[24] Online Javascript Obfuscator ,http://www.daftlogic.com/projects-online-Javascript-obfuscator.htm
[25] J. D. Pincus and B. Baker, “Beyond stack smashing: Recent advances in exploiting buffer overruns,” IEEE Security and Privacy, 2004.
[26] M. Polychronakis, K. G. Anagnostakis, and E. P.Markatos,” Emulation-based detection of non-self-contained polymorphic Shellcode,” Proceedings of Symposium on Recent Advances in Intrusion Detection, 2007.
[27] M. Polychronakis, K. G. Anagnostakis, and E. P.Markatos, “Network-level polymorphic Shellcode detection using emulation,” Journal in Computer Virology, 2007.
[28] N. Provos, D. Mcnamee, P. Mavrommatis, K. Wang, and N. Modadugu, “The Ghost In The Browser: Analysis of Web-based Malware,” USENIX HotBots, April 2007.
[29] A. Rahbar, “An analysis of Microsoft Windows Vista’s ASLR,” http://www.sysdream.com/articles/Analysis-of-Microsoft-Windows-Vista’s-ASLR.pdf , 2006.
[30] P. Ratanaworabhan, B. Livshits, and B. Zorn, “NOZZLE: A defense against heap-spraying code injection attacks,” Proceedings of the 18th USENIX Security Symposium, Augest 2009.
[31] D. Stevens. PDF tools, http://blog.didierstevens.com/programs/pdf-tools/.
[32] SkyLined. “Internet Explorer IFRAME src&name pa-rameter BoF remote compromise,” http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/?bjwever/advisory/ iframe.html.php, 2004.
[33] A. Sotirov，”Heap feng shui in Javascript,” Proceedings of Blackhat Europe, 2007.
[34] K. Selvaraj and N. F. Gutierres, “The rise of PDF malware,” http://www.symantec.com/connect/blogs/rise-pdf-malware, 2010.
[35] Symantec.Cloud MessageLabs Intelligence, “February 2011 Intelligence Report,” http://www.messagelabs.com/mlireport/MLI_2011_02_February_FINAL-en.PDF, February 2011.
[36] D. Stevens, “Malicious PDF documents explained,” IEEE Security and Privacy, 2011
[37] Tuxedo-es, “Microsoft Windows Vista: Measuring the security enhancements,” http://www.tuxedo-es.org/blog/2006/06/11/microsoft-windows-vista-measuring-the-securityenhancements, June 2006,.
[38] L.J. Wang, Lan-Jia , H.X. Duan, and X. Li, “Polymorphic Shellcode Detection System Based on Dynamic Emulation,” Jisuanji Gongcheng / Computer Engineering. Vol. 34, no. 13, pp. 7-9. July 2008.
[39] Q.Zhang, D. S. Reeves, P. Ning, and S. P. Iyer, “Analyzing Network Traffic To Detect Self-Decrypting Exploit Code,” ASIACCS’07, 2007.