A quasi-species model for the propagation and containment of polymorphic worms

IEEE Transactions on Computers

Volumn 58, Issue 9, 2009, Pages 1289-1296

  Stephenson, Bradley ^a   Sikdar, Biplab ^b  

^a MITRE CORPORATION   (United States)

^b RENSSELAER POLYTECHNIC INSTITUTE   (United States)

Author keywords

Computer virus and worms; Modeling techniques; Network security

Indexed keywords

CO-EVOLUTION; INTRUSION DETECTION SYSTEMS; MODEL-BASED; MODELING TECHNIQUES; POLYMORPHIC WORMS;

COMPUTER SOFTWARE; COMPUTER WORMS; INTERNET; INTRUSION DETECTION; NETWORK SECURITY;

COMPUTER VIRUSES;

EID: 68949183354     PISSN: 00189340     EISSN: None     Source Type: Journal    
DOI: 10.1109/TC.2009.63     Document Type: Article

References (31)

1. J. Crandall et al., "On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits," i Proc. ACM Computer and Comm. Security (CCS) i, pp. 235-248, 2005.
2. C. Kruegel et al., "Polymorphic Worm Detection Using Structural Information of Executables," i Proc. Recent Advances in Intrusion Detection (RAID) i, pp. 207-226, 2005.
3. Z. Li et al., "Hamsa: Fast Signature Generation for Zero-Day Polymorphic Worms with Provable Attack Resilience," i Proc. IEEE Symp. Security and Privacy (S&P) i, pp. 32-47, 2006.
4. J. Newsome, B. Karp, and D. Song, "Polygraph: Automatically Generating Signatures for Polymorphic Worms," i Proc. IEEE Symp. Security and Privacy (S&P) i, pp. 226-241, 2005.
5. Y. Tang and S. Chen, "Defending Against Internet Worms: A Signature-Based Approach," i Proc. IEEE INFOCOM i, pp. 1384-1393, 2005.
6. J. Wang, I. Hamadeh, G. Kesidis, and D. Miller, "Polymorphic Worm Detection and Defense: System Design, Experimental Methodology, and Data Resources," i Proc. ACM Large Scale Attack Defense Workshop i, pp. 169-176, 2006.
7. A. Pasupulati et al., "Buttercup: On Network-Based Detection of Polymorphic Buffer Overflow Vulnerabilities," i Proc. IEEE/IFIP Network Operations and Management Systems (NOMS) i, pp. 235-248, 2004.
8. M. Polychronakis, K. Anagnostakis, and E. Markatos, "Network-Level Polymorphic Shellcode Detection Using Emulation," i J. Computer Virology i, vol. 2, no. 4, pp. 257-274, Feb. 2007.
9. P. Fogla et al., "Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic," i Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp. i, p. 17, 2006.
10. R. Perdisci et al., "Misleading Worm Signature Generators Using Deliberate Noise Injection," i Proc. IEEE Symp. Security and Privacy (S&P) i, pp. 17-31, 2006.
11. J. Newsome, B. Karp, and D. Song, "Paragraph: Thwarting Signature Learning by Training Maliciously," i Proc. Recent Advances in Intrusion Detection (RAID) i, pp. 81-105, 2006.
12. Z. Chen, L. Gao, and K. Kwait, "Modeling the Spread of Active Worms," i Proc. IEEE INFOCOM i, pp. 1890-1900, 2003.
13. C. Zou, D. Towsley, and W. Gong, "Modeling and Simulation Study of the Propagation and Defense of Internet Email Worm," i IEEE Trans. Dependable and Secure Computing i, vol. 4, no. 2, pp. 105-118, Apr. 2007.
14. D. Moore, C. Shannon, and K. Claffy, "Code Red: A Case Study on the Spread and Victims of an Internet Worm," Proc. Internet Measurement Workshop (IMW), pp. 273-284, 2002.
15. D. Moore et al., "Internet Quarantine: Requirements for Containing Self-Propagating Code," Proc. IEEE INFOCOM, pp. 1901-1910, 2003.
16. G. Vigna et al., "Testing Network-Based Intrusion Detection Signatures Using Mutant Exploits," Proc. ACM Computer and Comm. Security (CCS) pp. 21-30, 2004.
17. J. Tucek et al., "Sweeper: A Lightweight End-to-End System for Defending Against Fast Worms," Proc. European Professional Soc. for Systems (EuroSys) Conf., pp. 115-128, 2007.
18. J. Jung, R. Milito, and V. Paxson, "On the Adaptive Real-Time Detection of Fast-Propagating Network Worms," Proc. Detection of Intrusions and Malware and Vulnerabillity Assessment (DIMVA), pp. 175-192, 2007.
19. N. Weaver, S. Staniford, and V. Paxson, "Very Fast Containment of Scanning Worms," Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp., pp. 29-44, 2004.
20. H. Kim and B. Karp, "Autograph: Toward Automated, Distributed Worm Signature Detection," Proc. Advanced Computing Systems Assoc. (USENIX) Sec. Symp., pp. 271-286, 2004.
21. H. Yin et al., "Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis," Proc. ACM Computer and Comm. Security (CCS), pp. 116-127, 2007.
22. K. Wang, G. Cretu, and S. Stolfo, "Anomalous Payload-Based Worm Detection and Signature Generation," Proc. Recent Advances in Intrusion Detection (RAID), pp. 227-246, 2006.
23. M. Nilsson and N. Snoad, "Error Thresholds for Quasispecies on Dynamic Fitness Landscapes," Physical Rev. Letters, vol. 84, no. 1, pp. 191-194, Jan. 2000.
24. C. Kamp and S. Bornholdt, "Coevolution of Quasispecies: B-Cell Mutation Rates Maximize Viral Error Catastrophes," Physical Rev. Letters, vol. 88, no. 6, pp. 068104.1-068104.4, Feb. 2002.
25. C. Nachenberg, "Computer Virus-Antivirus Coevolution," Comm. ACM vol. 40, no. 1, pp. 46-51, Jan. 1997.
26. D. Brumley et al., "Towards Automatic Generation of Vulnerability-Based Signatures," Proc. IEEE Symp. Security and Privacy (S&P), pp. 2-16, 2006.
27. M. Chouchane, A. Walenstein, and A. Lakhotia, "Statistical Signatures for Fast Filtering of Instruction-Substituting Metamorphic Malware," Proc. ACM Workshop Recurring Malcode (WORM), 2007.
28. S. Chung and A. Mok, "Allergy Attack against Automatic Signature Generation," Proc. Recent Advances in Intrusion Detection (RAID , pp. 61-80, Sept. 2006.
29. B. Stephenson and B. Sikdar, "A Quasi-Species Approach for Modeling the Dynamics of Polymorphic Worms," Proc. IEEE INFOCOM, pp. 1-12, 2006.
30. S. Staniford, V. Paxson, and N. Weaver, "How to Own the Internet in Your Spare Time," Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp., pp. 149-167, 2002.
31. K2, ADMmutate, http://www.ktwo.ca/c/ADMmutate-0.8.4.tar.gz, 2009.