An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature

Polymorphic worms evade network security systems by varying their payload every time an infection is attempted. The payload's variation operation is performed by using built-in self content encryptor. However, all encrypted payloads share the same invariant exploit code to ensure exploiting same vulnerability in same manner on all victims. This research paper is an endeavor to interpret the invariant part into signature. The basic idea of the proposed method is to assemble attacking payloads on a honeypot, and then extracting the worm's signature by using a matching technique. The experiments were conducted on two datasets, Witty worm's payloads and synthetic payloads, and have demonstrated promising results.

[1]  Jon A. Rochlis,et al.  With microscope and tweezers: the worm from MIT's perspective , 1989, Commun. ACM.

[2]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[3]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[4]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[5]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[6]  Peng Ning,et al.  Automatic diagnosis and response to memory corruption vulnerabilities , 2005, CCS '05.

[7]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[8]  Somesh Jha,et al.  An architecture for generating semantics-aware signatures , 2005 .

[9]  Yong Tang,et al.  Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms , 2009, Comput. Secur..

[10]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[11]  Jun Xu,et al.  Packet vaccine: black-box exploit detection and signature generation , 2006, CCS '06.

[12]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[13]  Zhenkai Liang,et al.  Fast and automated generation of attack signatures: a basis for building self-protecting servers , 2005, CCS '05.

[14]  Yan Chen,et al.  Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms , 2007, 2007 IEEE International Conference on Network Protocols.

[15]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[16]  Yong Tang,et al.  DAW: A Distributed Antiworm System , 2007, IEEE Transactions on Parallel and Distributed Systems.

[17]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Worm Detection and Signature Generation , 2005, RAID.

[18]  田端 利宏,et al.  Network and Distributed System Security Symposiumにおける研究動向の調査 , 2004 .

[19]  Burak Bayoğlu,et al.  Polymorphic worm detection using strong token-pair signatures , 2009 .

[20]  Zhendong Su,et al.  On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits , 2005, CCS '05.

[21]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[22]  Bill Cheswick,et al.  Worm Propagation Strategies in an IPv6 Internet , 2006, login Usenix Mag..

[23]  Tzi-cker Chiueh,et al.  DIRA: Automatic Detection, Identification and Repair of Control-Hijacking Attacks , 2005, NDSS.