Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches

As modern worms spread quickly; any countermeasure based on human reaction is barely fast enough to thwart the threat. Moreover, because polymorphic worms could generate mutated instances, they are more complex than non-mutating ones. Currently, the content-based signature generation of polymorphic worms is a challenge for network security. Several signature classes have been proposed for polymorphic worms. Although previously proposed schemes consider patterns such as 1-byte invariants and distance restrictions, they could not handle neither large payloads nor the big size pool of worm instances. Moreover, they are prone to noise injection attack. We proposed a method to combine two approaches of creating a polymorphic worm signature in a new way that avoid the limitation of both approaches. The proposedsignature generation scheme is based on token extraction and multiple sequence alignment, widely used in Bioinformatics. This approach provides speed, accuracy, and flexibility in terms of noise tolerance. The evaluations demonstrate these claims.

[1]  Jun Xu,et al.  Packet vaccine: black-box exploit detection and signature generation , 2006, CCS '06.

[2]  N. Saitou,et al.  The neighbor-joining method: a new method for reconstructing phylogenetic trees. , 1987, Molecular biology and evolution.

[3]  Vern Paxson,et al.  Enhancing byte-level network intrusion detection signatures with context , 2003, CCS '03.

[4]  Zhendong Su,et al.  On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits , 2005, CCS '05.

[5]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[6]  Christopher Krügel,et al.  Accurate Buffer Overflow Detection via Abstract Payload Execution , 2002, RAID.

[7]  Yan Chen,et al.  Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms , 2007, 2007 IEEE International Conference on Network Protocols.

[8]  Maninder Singh,et al.  A Survey on Zero-Day Polymorphic Worm Detection Techniques , 2014, IEEE Communications Surveys & Tutorials.

[9]  Craig A. Shue,et al.  Proceedings of the ACM Conference on Computer and Communications Security , 2010 .

[10]  Peng Ning,et al.  Automatic diagnosis and response to memory corruption vulnerabilities , 2005, CCS '05.

[11]  Mattia Monga,et al.  LISABETH: automated content-based signature generator for zero-day polymorphic worms , 2008, SESS '08.

[12]  Patrick Crowley,et al.  Algorithms to accelerate multiple regular expressions matching for deep packet inspection , 2006, SIGCOMM.

[13]  C. Notredame,et al.  Recent progress in multiple sequence alignment: a survey. , 2002, Pharmacogenomics.

[14]  Liu Zhi,et al.  SISG: self‐immune automated signature generation for polymorphic worms , 2010 .

[15]  Ibrahim Sogukpinar,et al.  Polymorphic worm detection using token-pair signatures , 2008, SecPerU '08.

[16]  Jie Wang,et al.  Polymorphic Worm Detection Using Signatures Based on Neighborhood Relation , 2009, 2009 11th IEEE International Conference on High Performance Computing and Communications.

[17]  Robert Meersman,et al.  Towards Semantically Grounded Decision Rules Using ORM + , 2007, RuleML.

[18]  Yong Tang,et al.  Generating Simplified Regular Expression Signatures for Polymorphic Worms , 2007, ATC.

[19]  Yong Tang,et al.  Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms , 2009, Comput. Secur..

[20]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[21]  Li Nan,et al.  An Algorithm for Generation of Attack Signatures Based on Sequences Alignment , 2008, 2008 International Conference on Computer Science and Software Engineering.

[22]  Hao Wang,et al.  Creating Vulnerability Signatures Using Weakest Preconditions , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[23]  Hao Wang,et al.  Towards automatic generation of vulnerability-based signatures , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[24]  Ming-Yang Kao,et al.  Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[25]  Frederic T. Chong,et al.  Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities , 2005, DIMVA.