Profiling self-propagating worms via behavioral footprinting

This paper proposes behavioral footprinting, a new dimension of worm profiling based on worm infection sessions. A worm's infection session contains a number of steps (e.g., for probing, exploitation, and replication) that are exhibited in certain order in every successful worm infection. Behavioral footprinting complements content-based signature by enriching a worm's profile, which will be used in worm identification, an important task in post worm attack investigation and recovery. We propose an algorithm to extract a worm's behavioral footprint from the worm's traffic traces. Our evaluation with a number of real worms and their variants confirms the existence of worms' behavioral footprints and demonstrates their effectiveness in worm identification.

[1]  Helen J. Wang,et al.  Virtual Playgrounds for Worm Behavior Investigation , 2005, RAID.

[2]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[3]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[4]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[5]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[6]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[7]  Helen J. Wang,et al.  Shield: vulnerability-driven network filters for preventing known vulnerability exploits , 2004, SIGCOMM.

[8]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[9]  Xuxian Jiang,et al.  Behavioral Footprinting: A New Dimension to Characterize Self-Propagating Worms , 2005 .

[10]  Frederic T. Chong,et al.  Minos: Control Data Attack Prevention Orthogonal to Memory Model , 2004, 37th International Symposium on Microarchitecture (MICRO-37'04).

[11]  T. Speed,et al.  Biological Sequence Analysis , 1998 .

[12]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[14]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[15]  Giovanni Vigna,et al.  Testing network-based intrusion detection signatures using mutant exploits , 2004, CCS '04.

[16]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[17]  Karl N. Levitt,et al.  The Design of GrIDS: A Graph-Based Intrusion Detection System , 2007 .

[18]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[19]  Daniel M. Roy,et al.  A dynamic technique for eliminating buffer overflow vulnerabilities (and other memory errors) , 2004, 20th Annual Computer Security Applications Conference.

[20]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[21]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[22]  M.E. Locasto,et al.  Towards collaborative security and P2P intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[23]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..