Polymorphic worm detection using token-pair signatures

A worm is a self-replicating computer program which does not need neither to attach itself to an existing program nor require user intervention unlike viruses. Worms exploit operating system and application software vulnerabilities to infect the systems. Polymorphic code itself is the art of developing code that mutates at each copy while keeping the original algorithm unchanged. By the way, a polymorphic worm changes its pattern each time it sends a copy to another system. Thereby this avoids detection by simple signature matching techniques. On the other hand, there is still some part of code that remains unchanged. In this work, we propose Token-Pair Conjunction and Token-Pair Subsequence signatures for detecting polymorphic worm threats. Experiments of the proposed model were performed using two real polymorphic worms. Experiment results show that the proposed signature schema have low false negatives and false positives.

[1]  Yong Tang,et al.  An Automated Signature-Based Approach against Polymorphic Internet Worms , 2007, IEEE Trans. Parallel Distributed Syst..

[2]  Zhenkai Liang,et al.  Fast and automated generation of attack signatures: a basis for building self-protecting servers , 2005, CCS '05.

[3]  Wenke Lee,et al.  Misleading worm signature generators using deliberate noise injection , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  A. A. Reilly,et al.  An expectation maximization (EM) algorithm for the identification and characterization of common sites in unaligned biopolymer sequences , 1990, Proteins.

[5]  Jun S. Liu,et al.  Detecting subtle sequence signals: a Gibbs sampling strategy for multiple alignment. , 1993, Science.

[6]  Lucas Chi Kwong Hui,et al.  Color Set Size Problem with Application to String Matching , 1992, CPM.

[7]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[8]  Somesh Jha,et al.  An architecture for generating semantics-aware signatures , 2005 .

[9]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[10]  Giovanni Manzini,et al.  Engineering a Lightweight Suffix Array Construction Algorithm , 2002, ESA.

[11]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[12]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[14]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[15]  Yong Tang,et al.  Defending against Internet worms: a signature-based approach , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[16]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[17]  Somesh Jha,et al.  An Architecture for Generating Semantic Aware Signatures , 2005, USENIX Security Symposium.