ABSTRACT
Modern worms can spread so quickly that any countermeasure based on human reaction might not be fast enough. Recent research has focused on devising algorithms to automatically produce signature for polymorphic worms, required by Intrusion Detection Systems. However, polymorphic worms are more complex than non-mutating ones as they also require the identification of mutated instances. To this end, we propose Lisabeth, our improved version of Hamsa, an automated content-based signature generation system for polymorphic worms that uses invariant bytes analysis of network traffic content. We show an unknown attack to Hamsa's signature generator that is contrasted by Lisabeth. Moreover, we show that our approach is able to generally improve the resilience to poisoning attacks as supported by our experiments with synthetic polymorphic worms.
- Aleg Kolesnikov and Wenke Lee. Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. Technical report, Georgia Tech College of Computing, 2004.Google Scholar
- C. Kruegel, E. Kirda, D. Mutz, W. Robertson and G. Vigna. Polymorphic Worm Detection Using Structural Information of Executables. In Proc. of the International Symposium on Recent Advances in Intrusion Detection (RAID), volume 3858 of LNCS, pages 207--226, Seattle, WA, September 2005. Springer-Verlag. Google ScholarDigital Library
- Christian Collberg, Clark Thomborson and Douglas Low. A Taxonomy of Obfuscating Transformations. Technical Report 148, July 1997.Google Scholar
- Christian Kreibich and Jon Crowcroft. Honeycomb -- Creating Intrusion Detection Signatures Using Honeypots. In Proc. of the Second Workshop on Hot Topics in Networks (Hotnets II), Boston, November 2003.Google Scholar
- Cliff Changchun Zou, Lixin Gao, Weibo Gong and Don Towsley. Monitoring and early warning for internet worms. In Proc. of the 10th ACM conference on Computer and communications security, pages 190--199, Washington D.C., USA, 2003. ACM Press. Google ScholarDigital Library
- D. Moore, C. Shannon, G. Voelker and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. In Proc. of INFOCOM 2003, April 2003.Google ScholarCross Ref
- Frederic Raynal. Malicious Cryptography, May 2006.Google Scholar
- Hyang-Ah Kim and Brad Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Proc. of the USENIX Security Conference, 2004. Google ScholarDigital Library
- James Newsome. Polygraph. {Online; last access 2007 january 28}.Google Scholar
- James Newsome and Dawn Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In The 12th Annual Network and Distributed System Security Symposium, February 2005.Google Scholar
- James Newsome, Brad Karp and Dawn Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2005. Google ScholarDigital Library
- James Newsome, Brad Karp and Dawn Song. Paragraph: Thwarting Signature Learning by Training Maliciously. In Proc. of the Ninth International Symposium on Recent Advances in Intrusion Detection (RAID 2006), Hamburg, Germany, September 2006. Google ScholarDigital Library
- Jose Nazario. Defense and Detection Strategies against Internet Worms. Artech House, 2004. Google ScholarDigital Library
- Martin Roesch. Snort -- Lightweight Intrusion Detection for Networks. In LISA '99: Proceedings of the 13th USENIX conference on System administration, pages 229--238, Berkeley, CA, USA, 1999. USENIX Association. Google ScholarDigital Library
- Mihai Christodorescu and Somesh Jha. Static Analysis of Executables to Detect Malicious Patterns. In Proceedings of the 12th USENIX Security Symposium (Security'03), pages 169--186, Washington, DC, USA, August 2003. USENIX Association, USENIX Association. Google ScholarDigital Library
- Mihai Christodorescu, Somesh Jha, Sanjit A. Seshia, Dawn Song and Randal E. Bryant. Semantics-Aware Malware Detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy, pages 32--46, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
- Peter Ferrie and Frederic Perriot. Detecting Complex Viruses, December 2004.Google Scholar
- Peter Szor and Peter Ferrie. Hunting for Metamorphic. In Virus Bulletin Conference, September 2001.Google Scholar
- Roberto Perdisci, David Dagon, Wenke Lee, Prahlad Fogla and Monirul Sharif. Misleading Worm Signature Generators Using Deliberate Noise Injection. In Proc. of the 2006 IEEE Symposium on Security and Privacy (S&P'06), Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
- Stefan Axelson. Intrusion Detection Systems: A Survey and Taxonomy. Technical Report 99--15, Chalmers University of Technology Department of Computer Engineering, G¨teborg, Sweden, March 2000.Google Scholar
- Stuart Staniford, Vern Paxson and Nicholas Weaver. How to Own the Internet in Your Spare Time. In Proc. of the 11th USENIX Security Symposium, Oakland, CA, August 2002. Google ScholarDigital Library
- Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage. Automated Worm Fingerprinting. In Proc. of Symposium on Operating Systems Design and Implementation (OSDI), 2004. Google ScholarDigital Library
- N. Tuck, T. Sherwood, B. Calder, and G. Varghese. Deterministic memory efficient string matching algorithms fo intrusion detection.Google Scholar
- Vern Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In Proc. of the 7th USENIX Security Symposium, San Antonio, Texas, January 1998. Google ScholarDigital Library
- Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian Chavez. Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience. In Proc. of the IEEE Symposium on Security and Privacy, Oakland, CA, May 2006. Google ScholarDigital Library
Index Terms
- LISABETH: automated content-based signature generator for zero-day polymorphic worms
Recommendations
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
Malicious network traffic, including widespread worm activity, is a growing threat to internet-connected networks and hosts. In this paper, we consider both syntax and semantics based approaches for dynamic network intrusion detection. The semantics-...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systemsThe fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Comments