Design and evaluation of a system for network threat signatures generation

Abstract The paper addresses a problem of cybersecurity that plays the strategic role in modern computer networks. The attention is focused on the usage of pre-generated signatures to detect malicious content in network traffic. Given the rapid propagation of computer threats, it is crucial to detect them in early stage of an infection. Therefore, the main challenge is to design and develop efficient mechanisms for generation of their signatures. Nowadays, manually generated signatures of computer worms are commonly used for identifying malicious activity in the networks. Creation of such signatures often requires hours or even days of work, while the time limit for signatures generation for active worms is measured in minutes, at the most. Thus, attack trends change very fast, making it impossible to keep up with manual signature engineering and an automatic generation of signatures seems to be the only reasonable solution. In this paper, we investigate a problem of automatic generation of signatures of zero-day polymorphic worms. We developed an efficient algorithm for token extraction and a novel method for automatic multi-token signature composition. Our method employs a genetic algorithm to produce signatures accurately matching network worms. We designed and developed a framework for offline generation of signatures implementing our method. The efficiency and utility of the system was verified through simulation. The test cases were carried out on data combining real flows and synthetic flows imitating real malicious Internet traffic. The results of experiments performed for selected polymorphic worms demonstrate that our framework may be successfully used to create the high quality signatures in a reasonable time.

[1]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.

[2]  Jacek Jarmakiewicz,et al.  Development of cyber security testbed for critical infrastructure , 2015, 2015 International Conference on Military Communications and Information Systems (ICMCIS).

[3]  Christoph Fuchs,et al.  Nebula - generating syntactical network intrusion signatures , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[4]  Ewa Niewiadomska-Szynkiewicz,et al.  Algorithms for distributed simulation - comparative study , 2002, Proceedings. International Conference on Parallel Computing in Electrical Engineering.

[5]  Zbigniew Michalewicz,et al.  Genetic Algorithms + Data Structures = Evolution Programs , 1996, Springer Berlin Heidelberg.

[6]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Bimal Kumar Mishra,et al.  Survey of Polymorphic Worm Signatures , 2014 .

[8]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[9]  S. M. Ramesh,et al.  Biologically inspired artificial intrusion detection system for detecting wormhole attack in MANET , 2014, Wirel. Networks.

[10]  John W. Lockwood,et al.  Design of a system for real-time worm detection , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[11]  Kavitha Ranganathan,et al.  Decoupling computation and data scheduling in distributed data-intensive applications , 2002, Proceedings 11th IEEE International Symposium on High Performance Distributed Computing.

[12]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[13]  Adam Kozakiewicz,et al.  Analysis of the Similarities in Malicious DNS Domain Names , 2011 .

[14]  Azizah Abdul Rahman,et al.  Signature-based Multi-Layer Distributed Intrusion Detection System using Mobile Agents , 2013, Int. J. Netw. Secur..

[15]  Qingfu Zhang,et al.  Distributed evolutionary algorithms and their models: A survey of the state-of-the-art , 2015, Appl. Soft Comput..

[16]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[17]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[18]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[19]  Enno Ohlebusch,et al.  Replacing suffix trees with enhanced suffix arrays , 2004, J. Discrete Algorithms.

[20]  Octavio Nieto-Taladriz,et al.  Improving network security using genetic algorithm approach , 2007, Comput. Electr. Eng..

[21]  Enno Ohlebusch,et al.  Linear Time Algorithms for Generalizations of the Longest Common Substring Problem , 2011, Algorithmica.

[22]  Albert-László Barabási,et al.  A genetic epidemiology approach to cyber-security , 2014, Scientific Reports.

[23]  Marco Gribaudo,et al.  Exploiting Bayesian Networks for the Analysis of Combined Attack Trees , 2015, PASM.

[24]  R. Ivkov,et al.  CORRIGENDUM: Effect of magnetic dipolar interactions on nanoparticle heating efficiency: Implications for cancer hyperthermia , 2014, Scientific Reports.

[25]  Gulshan Kumar,et al.  The use of artificial intelligence based techniques for intrusion detection: a review , 2010, Artificial Intelligence Review.

[26]  Igor Kotenko,et al.  Hybridization of computational intelligence methods for attack detection in computer networks , 2017, J. Comput. Sci..

[27]  Maninder Singh,et al.  Efficient hybrid technique for detecting zero-day polymorphic worms , 2014, 2014 IEEE International Advance Computing Conference (IACC).

[28]  Marek Kisiel-Dorohinicki,et al.  Future Generation Computer Systems ( ) – Future Generation Computer Systems Security, Energy, and Performance-aware Resource Allocation Mechanisms for Computational Grids , 2022 .

[29]  Weidong Wu,et al.  Online Detection of Network Traffic Anomalies Using Degree Distributions , 2010, Int. J. Commun. Netw. Syst. Sci..

[30]  Ewa Niewiadomska-Szynkiewicz,et al.  Cross-layer analysis of malware datasets for malicious campaigns identification , 2015, 2015 International Conference on Military Communications and Information Systems (ICMCIS).

[31]  Joanna Koodziej,et al.  Evolutionary Hierarchical Multi-Criteria Metaheuristics for Scheduling in Large-Scale Grid Systems , 2012 .

[32]  Mattia Monga,et al.  LISABETH: automated content-based signature generator for zero-day polymorphic worms , 2008, SESS '08.