Detection of Zero-Day Polymorphic Worms Using Principal Component Analysis

Polymorphic worms pose a big challenge to the Internet security. The difficulty of detection of such a polymorphic worm is that it has more than one instance and very large efforts are needed to capture all these instances and to generate signatures. This paper proposes automatic system for signature generation for zero-day polymorphic worms. We have designed a novel double-honeynet system, which is able to detect new worms that have not been seen before. We apply Principal Component Analysis (PCA) to determine the most significant substrings that are shared between polymorphic worm instances and to use them as signatures. The system is able to generate signatures to match most polymorphic worm instances with low false positives and low false negatives.

[1]  Maxime Crochemore,et al.  Algorithms on strings , 2007 .

[2]  Yong Tang,et al.  An Automated Signature-Based Approach against Polymorphic Internet Worms , 2007, IEEE Trans. Parallel Distributed Syst..

[3]  H. Anthony Chan,et al.  A modified Knuth-Morris-Pratt Algorithm for Zero-day Polymorphic Worms Detection , 2009, Security and Management.

[4]  Ray Bert Book Review: The Design and Implementation of Geographic Information Systems by John E. Harmon and Steven J. Anderson. Hoboken, New Jersey: John Wiley & Sons, Inc., 2003 , 2003 .

[5]  H. Anthony Chan,et al.  Fast Automated Signature Generation for Polymorphic Worms Using Double-Honeynet , 2008, 2008 Third International Conference on Broadband Communications, Information Technology & Biomedical Applications.

[6]  Corporate,et al.  The handbook of information security , 1991 .

[7]  Wenke Lee,et al.  Polymorphic Blending Attacks , 2006, USENIX Security Symposium.

[8]  H. Anthony Chan,et al.  Polymorphic Worm Detection Using Double-Honeynet , 2009, 2009 Fourth International Conference on Software Engineering Advances.

[9]  Dan Gusfield,et al.  Algorithms on Strings, Trees, and Sequences - Computer Science and Computational Biology , 1997 .

[10]  H.A. Chan,et al.  Honeycyber: Automated signature generation for zero-day polymorphic worms , 2008, MILCOM 2008 - 2008 IEEE Military Communications Conference.

[11]  Heng Tao Shen,et al.  Principal Component Analysis , 2009, Encyclopedia of Biometrics.

[12]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[13]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[14]  Lucas Chi Kwong Hui,et al.  Color Set Size Problem with Application to String Matching , 1992, CPM.

[15]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[16]  Somesh Jha,et al.  An architecture for generating semantics-aware signatures , 2005 .

[17]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[18]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[19]  Mattia Monga,et al.  LISABETH: automated content-based signature generator for zero-day polymorphic worms , 2008, SESS '08.

[20]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[21]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..