A Semantic-aware method for polymorphic signature generation

It is difficult for security experts to generate polymorphic signatures by using traditional string mining and matching techniques. A semantic-aware method is presented to generate a kind of two-level signature that includes both polymorphic semantics and string patterns. It first analyzes the characteristics of polymorphic engines and categorizes the data flows into different clusters and then uses static data flow methods to extract invariable semantic instructions. And then, it combines traditional string methods to generate the signature. In comparison with other methods, experimental results show that it may effectively reduce false positives and false negatives.

[1]  Fan Guo,et al.  Static detection of polymorphic attack codes: Static detection of polymorphic attack codes , 2011 .

[2]  Hongsheng Xi,et al.  SAS: semantics aware signature generation for polymorphic worm detection , 2010, International Journal of Information Security.

[3]  Sencun Zhu,et al.  STILL: Exploit Code Detection via Static Taint and Initialization Analyses , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[4]  Hongsheng Xi,et al.  SAS: semantics aware signature generation for polymorphic worm detection , 2011, International Journal of Information Security.

[5]  Sencun Zhu,et al.  SigFree: A Signature-Free Buffer Overflow Attack Blocker , 2010, IEEE Transactions on Dependable and Secure Computing.

[6]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).