Burak BAYOĞLU, İbrahim SOĞUKPINAR

3812

Polymorphic worm detection using strong token-pair signatures

Malicious software has become a big threat to information systems, which are widely used to store, transfer and process information for many critical assets. Worms are one of the most harmful network-enabled malicious software that can threaten networks and applications. Two main characteristics of worms distinguish them from the well-known virus programs and as a result are much more dangerous than the virus programs. First, they do not need to attach themselves to an existing program. Second, worms do not require end-user interaction to realize the intended attack. Therefore, a large number of victims can be infected in a short time. Polymorphic worms are a special subset of worm family which are more difficult to detect. Polymorphism is the key that facilitates creating different looking polymorphic worm copies while keeping the original worm code intact. Each variant for a polymorphic worm has a different pattern that it is not effective to use simple signature matching techniques. In this work, Strong Token-Pair(STP) signature scheme has been proposed to detect polymorphic worms. Experimental results support that STP signatures can be used with low false negative and false positive rates.
Anahtar Kelimeler:

Polymorphic worm, worm detection.

Polymorphic worm detection using strong token-pair signatures

Malicious software has become a big threat to information systems, which are widely used to store, transfer and process information for many critical assets. Worms are one of the most harmful network-enabled malicious software that can threaten networks and applications. Two main characteristics of worms distinguish them from the well-known virus programs and as a result are much more dangerous than the virus programs. First, they do not need to attach themselves to an existing program. Second, worms do not require end-user interaction to realize the intended attack. Therefore, a large number of victims can be infected in a short time. Polymorphic worms are a special subset of worm family which are more difficult to detect. Polymorphism is the key that facilitates creating different looking polymorphic worm copies while keeping the original worm code intact. Each variant for a polymorphic worm has a different pattern that it is not effective to use simple signature matching techniques. In this work, Strong Token-Pair(STP) signature scheme has been proposed to detect polymorphic worms. Experimental results support that STP signatures can be used with low false negative and false positive rates.
Keywords:

Polymorphic worm, worm detection.,

PDF

___

  • J. Newsome, B. Karp, D. Song, “Polygraph: Automatically generating signatures for polymorphic worms”, IEEE Security and Privacy Symposium, 2005
  • C. CAN-2003-0245. Apache apr-psprintf memory corruption vulnerability. http://www.securityfocus.com/bid/7723/discussion/. (May 2008)
  • CERT Advisory CA-2001-02 Multiple Vulnerabilities in BIND. ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code - VU#196945. http://www.kb.cert.org/vuls/id/196945. (May 2008)
  • The ADMmutate polymorphic engine. http://www.ktwo.ca/ADMmutate-0.8.4.tar.gz. (February 2007)
  • The CLET polymorphic engine. http://www.phrack.org/show.php?p=61&a=9. (February 2007)
  • Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, B. Chavez, “Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience”, In Proceedings of the IEEE Symposium on Security and Privacy, 2006
  • C. Kreibich and J. Crowcroft, “Honeycomb - creating intrusion detection signatures using honeypots”, In Proceed- ings of the Second Workshop on Hot Topics in Networks (HotNets-II), November 2003.
  • H. A. Kim and B. Karp, “Autograph: toward automated, distributed worm signature detection”, In Proceedings of the 13th USENIX Security Symposium, August 2004.
  • S. Singh, C. Estan, G. Varghese, and S. Savage, “Automated worm Şngerprinting”, In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI), Dec. 2004.
  • V. Yegneswaran, J. Giffin, P. Barford, and S. Jha, “An architecture for generating semantic-aware signatures”, In USENIX Security Symposium, 2005.
  • Y. Tang and S. Chen, “Defending against Internet worms: A signature-based approach”, In Proceedings of Infocom, Y. Tang and S. Chen, “An Automated Signature-Based Approach against Polymorphic Internet Worms”, IEEE Transactions on Parallel and Distributed Systems, Volume 18, Issue 7, pp. 879-892, 2007.
  • L. Cavallaro, A. Lanzi, L. Mayer, M. Monga , “LISABETH: automated content-based signature generator for zero- day polymorphic worms”, International Conference on Software Engineering, Proceedings of the fourth international workshop on Software engineering for secure systems, pp. 41-48, 2008
  • M. Van Gundy, H. Chen, G. Vigna, “Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms”, 23rdAnnual Computer Security Applications Conference, pp. 74-85, 2007.
  • B. Bayo˘glu, ˙I. So˘gukpınar, “Polymorphic Worm Detection Using Token-Pair Signatures”, International Conference on Pervasive Services, 4thInternational Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, pp. 7-12, 2008.
  • J. Zhang, H. Duan, L. Wang, Y. Guan, “A Fast Method of Signature Generation for Polymorphic Worms”, International Conference on Computer and Electrical Engineering, pp. 8-13, 2008.
  • M. Christodorescu, S. Jha, S.A. Seshia, D. Song, R.E. Bryant, “Semantics-aware malware detection”, In Proceedings of the IEEE Symposium on Security and Privacy, 2005.
  • Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, “Polymorphic worm detection using structural informa- tion of executables”, In Proceedings of Recent Advances in Intrusion Detection (RAID), 2005.
  • Liang and R. Sekar, “Fast and automated generation of attack signatures: A basis for building self-protecting servers”, In Proceedings of ACM CCS, 2005.
  • S. Chen, X. Wang, L. Liu, X. Zhang, Z. Zhang, “WormTerminator: An Effective Containment of Unknown and Polymorphic Fast Spreading Worms”, In Proceedings of the ACM/IEEE symposium on Architecture for Networking and Communications systems, pp. 173-182, 2006.
  • G. Manzini and P. Ferragina, “Engineering a lightweight suffix array construction algorithm”, Algorithmica, 40(1), C. E. Lawrence, S. F. Altschul, M. S. Boguski, J. S. Liu, A. F. Neuwald, and J. C. Wootton, “Detecting Subtle Sequence Signals: A Gibbs Sampling Strategy for Multiple Alignment”, Science, vol. 262, pp. 208-214, Oct. 1993.
  • R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif, “Misleading worm signature generators using deliberate noise injection”, In IEEE Security and Privacy Symposium, pp. 15-31, 2006.
  • CVE-2004-0597: Multiple buffer overflows in libpng 1.2.5. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE- 0597. (June 2008)
  • L. Hui, “Color set size problem with applications to string matching”, In Proceedings of the 3rd Symposium on Combinatorial Pattern Matching, 1992.
  • SANS Institute: Lion worm. http://www.sans.org/y2k/lion.htm (June 2006)
Turkish Journal of Electrical Engineering and Computer Science-Cover
  • ISSN: 1300-0632
  • Yayın Aralığı: Yılda 6 Sayı
  • Yayıncı: TÜBİTAK
Arşiv
Sayıdaki Diğer Makaleler

Parameter identification of a separately excited dc motor via inverse problem methodology

Mounir HADEF, Mohamed Rachid MEKIDECHE

Analytical regularization method for electromagnetic wave diffraction by axially symmetrical thin annular strips

Fatih DİKMEN, Yury Alexanderovich TUCHKIN

PCA based protection algorithm for transformer internal faults

Erdal KILIÇ, Okan ÖZGÖNENEL, Ömer USTA, Dave THOMAS

CDM based controller design for nonlinear heat exchanger process

Erkan İMAL

An intelligent face features generation system from fingerprints

Şeref SAĞIROĞLU, Necla ÖZKAYA

Polymorphic worm detection using strong token-pair signatures

Burak BAYOĞLU, İbrahim SOĞUKPINAR