Network-based and attack-resilient length signature generation for zero-day polymorphic worms

Proceedings - International Conference on Network Protocols, ICNP

Volumn , Issue , 2007, Pages 164-173

  Li, Zhichun ^a   Wang, Lanjia ^b   Chen, Yan ^a   Fu, Zhi ^c  

^a NORTHWESTERN UNIVERSITY   (United States)

^b TSINGHUA UNIVERSITY   (China)

^c MOTOROLA INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ARSENIC COMPOUNDS; GATEWAYS (COMPUTER NETWORKS); INTERNET; NETWORK SECURITY;

ATTACK-RESILIENT; BUFFER OVERFLOWS; HONEYNETS; INTERNATIONAL CONFERENCES; NETWORK GATEWAYS; NETWORK LEVEL; POLYMORPHIC WORMS; SIGNATURE GENERATION;

NETWORK PROTOCOLS;

EID: 48349098240     PISSN: 10921648     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ICNP.2007.4375847     Document Type: Conference Paper

References (40)

1. Z. Liang and R. Sekar, "Automatic generation of buffer overflow attack signatures: An approach based on program behavior models," in Proc. of Computer Security Applications Conference (ACSAC), 2005.
2. The SANS Institute, "The Top 20 Most Critical Internet Security Vulnerabilities - PRESS UPDATE." http://www.sans.org/top2O/2005/ spring2006update.php.
3. M. Roesch, "Snort: The lightweight network intrusion detection system," 2001, http://www.snort.org/.
4. V. Paxson, "Bro: A system for detecting network intruders in real-time," Computer Networks, vol. 31, 1999.
5. C. Kreibich and J. Crowcroft, "Honeycomb - creating intrusion detection signatures using honeypots," in Proc. of the Workshop on Hot Topics in Networks (HotNets), 2003.
6. S. Singh, C. Estan, et al., "Automated worm fingerprinting," in Proc. of USENIX OSDI, 2004.
7. H. Kim and B. Karp, "Autograph: Toward automated, distributed worm signature detection," in Proc. of USENIX Security Symposium, 2004.
8. Z. Liang and R. Sekar, "Fast and automated generation of attack signatures: A basis for building self-protecting servers," in Proc. of ACM CCS, 2005.
9. X. Wang et al., "Packet vaccine: Black-box exploit detection and signature generation," in Proc. of ACM CCS, 2006.
10. D. Brumley et al., "Towards automatic generation of vulnerability-based signatures," in Proc. of IEEE Security and Privacy Symposium, 2006.
11. D. Moore et al., "The spread of the Sapphire/Slammer worm," http://www.caida.org, 2003.
12. S. Staniford et al., "How to own the Internet in your spare time," in Proceedings of the 11th USENIX Security Symposium, 2002.
13. _, "The top speed of flash worms," in Proc. of ACM CCS WORM Workshop, 2004.
14. Z. Li, M. Sanghi, Y. Chen, M. Kao, and B. Chavez, "Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience," in Proc. of IEEE Security and Privacy Symposium, 2006.
15. J. Newsome, B. Karp, and D. Song, "Polygraph: Automatically generating signatures for polymorphic worms," in Proc. of IEEE Security and Privacy Symposium, 2005.
16. Y. Tang and S. Chen, "Defending against internet worms: A signature-based approach," in Proc. of IEEE Infocom, 2003.
17. J. Newsome and D. Song, "Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software," in Proc. of NDSS, 2005.
18. J. R. Crandall, Z. Su, and S. F. Wu, "On deriving unknown vulnerabilities from zeroday polymorphic and metamorphic worm exploits," in Proc. of ACM CCS, 2005.
19. R. Perdisci et al., "Misleading worm signature generators using deliberate noise injection," in Proc. of IEEE Security and Privacy Symposium, 2006.
20. J. Newsome, B. Karp, and D. Song, "Paragraph: Thwarting signature learning by training maliciously," in Proc. of RAID, 2006.
21. S. P. Chuang and A. K. Mok, "Allergy attack against automatic signature generation," in Proc. of RAID, 2006.
22. P. Fogla et al., "Polymorphic blending attacks," in Proc. of USENIX Security Symposium, 2006.
23. V. Yegneswaran et al., "An architecture for generating semantic-aware signatures," in Proc. of USENIX Security Symposium, 2005.
24. C. Kruegel et al., "Polymorphic worm detection using structural information of executables," in Proc. of RAID, 2005.
25. Packeteer, "Solutions for Malicious Applications," http://www.packeteer.com/prod-sol/solutions/dos.cfm.
26. K. Wang and S. J. Stolfo, "Anomalous payload-based network intrusion detection," in Proc. of RAID, 2004.
27. K. Wang, G. Cretu, and S. J. Stolfo, "Anomalous payload-based worm detection and signature generation," in Proc. of RAID, 2005.
28. R. Vargiya and P. Chan, "Boundary detection in tokenizing network application payload for anomaly detection," in Proc. of ICDM Workshop on Data Mining for Computer Security (DMSEC), 2003.
29. M. Cost et al., "Vigilante: End-to-end containment of internet worms," in Proc. of ACM Symposium on Operating System Principles (SOSP), 2005.
30. F. Hsu and T. Chiueh, "Ctcp: A centralized TCP/IP architecture for networking security," in Proc. of ACSAC, 2004.
31. X. Wang et al., "Sigfree: A signature-free buffer overflow attack blocker," in Proc. of USENIX Security Symposium, 2006.
32. V. Yegneswaran, P. Barford, and D. Plonka, "On the design and use of internet sinks for network abuse monitoring," in Proc. of RAID, 2004.
33. M. Bailey et al., "The internet motion sensor: A distributed blackhole monitoring system," in Proc. of NDSS, 2005.
34. W. Cui, V. Paxson, and N. Weaver, "GQ: Realizing a system to catch worms in a quarter million places," ICSI, Tech. Rep. TR-06-004, 2006.
35. Y. Gao, Z. Li, and Y. Chen, "A dos resilient flow-level intrusion detection approach for high-speed networks," in Proc. of the IEEE International Conference on Distributed Computing Systems (ICDCS), 2006.
36. R. Pang et al., "binpac: A yacc for writing application protocol parsers," in Proc. of ACM/USENIX IMC, 2006.
37. S. A. Vinterbo, "Maximum k-intersection, edge labeled multigraph max capacity k-path, and max factor k-gcd are all NP-hard," Decision Systems Group,Harvard Medical School, Tech. Rep., 2002.
38. Z. Li, L. Wang, Y. Chen, and Z. Fu, "Network-based and attack-resilient length signature generation for zero-day polymorphic worms," Northwetern University, Tech. Rep. NWU-EECS-07-02, 2007.
39. V. Paxson et al., "Rethinking hardware support for network analysis and intrusion prevention," in Proc. of USENIX Hot Security, 2006.
40. Radware Inc., "Introducing 1000X Security Switching," http://www.radware.com/content/products/application_switches/ss/default%.asp.