Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms

Computers and Security

Volumn 28, Issue 8, 2009, Pages 827-842

  Tang, Yong ^a,b   Xiao, Bin ^b   Lu, Xicheng ^a  

^a NATIONAL UNIVERSITY OF DEFENSE TECHNOLOGY   (China)

^b HONG KONG POLYTECHNIC UNIVERSITY   (Hong Kong)

Author keywords

Distance restriction; Exploit based signature generation; One byte invariant; Polymorphic worms; Sequence alignment; Simplified regular expression

Indexed keywords

FORMAL DEFINITION; MULTIPLE SEQUENCE ALIGNMENTS; NOISE ELIMINATION; NOISE-TOLERANT; NP-HARD; POLYMORPHIC WORMS; REAL-WORLD; REGULAR EXPRESSIONS; REMOVE NOISE; SEQUENCE ALIGNMENTS; SIGNATURE GENERATION; SUBSTRING;

ALIGNMENT; COMPUTATIONAL COMPLEXITY; PACKET SWITCHING;

BIOINFORMATICS;

EID: 71849087786     PISSN: 01674048     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.cose.2009.06.003     Document Type: Article

References (34)

1. Brumley D, Newsome J, Song D, Wang H, Jha S. Towards automatic generation of vulnerability-based signatures. In: the 2006 IEEE symposium on security and privacy; 2006. pp. 2-16.
2. Costa M, Crowcroft J, Castro M, Rowstron A, Zhou L, Zhang L, Barham P. Vigilante: end-to-end containment of internet worms. In: ACM symposium on operating systems principles; 2005. pp. 133-47.
3. Crandall JR, Su Z, Wu SF, Chong FT. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: the 12th ACM conference on computer and communications security; 2005. pp. 235-48.
4. DeTristan T, Ulenspiegel T, Malcom Y, von Underduk MS. Polymorphic shellcode engine using spectrum analysis. Phrack 2003;11:61-9.
5. Kim HA, Karp B. Autograph: toward automated, distributed worm signature detection. In: USENIX security symposium; 2004. pp. 271-86.
6. Kreibich C, Crowcroft J. Honeycomb - creating intrusion detection signatures using honeypots. In: The second workshop on hot topics in networks (Hotnets II), Boston; 2003.
7. Ktwo, Admmutate: Shellcode mutation engine; 2001.
8. Levenshtein V.I. Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics Doklady 10 8 (1966) 707-710
9. Li Z, Sanghi M, Chen Y, Kao MY, Chavez B. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: The 2006 IEEE symposium on security and privacy; 2006.
10. Li Z, Wang L, Chen Y, Fu Z. Network-based and attack-resilient length signature generation for zero-day polymorphic worms. In: The 15th IEEE International Conference on Network Protocols (ICNP 2007); 2007.
11. Liang Z, Sekar R. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: The 12th ACM conference on Computer and communications security; 2005a. pp. 213-22.
12. Liang Z, Sekar R. Automatic generation of buffer overflow attack signatures: an approach based on program behavior models. In: The 21st annual computer security applications conference; 2005b. pp. 215-24.
13. Lippmann R., Haines J.W., Fried D.J., Korba J., and Das K. The 1999 darpa off-line intrusion detection evaluation. Comput Networks 34 4 (2000) 579-595
14. Needleman S.B., and Wunsch C.D. A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology 48 (1970) 443-453
15. Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: The 12th annual network and distributed system security symposium; 2005.
16. Newsome J, Karp B, Song D. Polygraph: automatically generating signatures for polymorphic worms. In: the 2005 IEEE symposium on security and privacy; 2005. pp. 226-41.
17. Newsome J., Karp B., and Song D. Paragraph: thwarting signature learning by training maliciously (2006), RAID pp. 81-105
18. Notredame C. Recent progress in multiple sequence alignment: a survey. Pharmacogenomics 3 (2002) 131-144
19. Notredame C., Higgins D.G., and Heringa J. T-coffee: a novel method for fast and accurate multiple sequence alignment. Journal of Molecular Biology 302 1 (2000) 205-217
20. Perdisci R, Dagon D, Lee W, Fogla P, Sharif M. Misleading worm signature generators using deliberate noise injection. In: IEEE symposium on security and privacy; 2006.
21. Saitou N., and Nei M. The neighbor-joining method: a new method for reconstructing phylogenetic trees. Molecular Biology and Evolution 4 4 (1987) 406-425
22. Singh S, Estan C, Varghese G. Savage, Stefan, Automated worm fingerprinting. In: 6th USENIX OSDI; 2004.
23. Smirnov A, Chiueh, Tzi-cker. Dira: automatic detection, identification and repair of control-hijacking attacks. In: Proceedings of NDSS; 2005.
24. Song Y, Locasto ME, Stavrou A, Keromytis AD, Stolfo SJ. On the infeasibility of modeling polymorphic shellcode. In: ACM conference on computer and communications security (CCS); 2007.
25. Tang Y, Lu X, Xiao B. Generating simplified regular expression signatures for polymorphic worms. In: The 4th international conference on autonomic and trusted computing (ATC-07); 2007. pp. 478-88.
26. Tang Y., Luo J., Xiao B., and Wei G. Concept, characteristics and defending mechanism of worms. IEICE Transactions on Information and Systems E92-D 5 (2009) 799-809
27. Team MD. Metasploit project; 2007.
28. Thompson J.D., Higgins D.G., and Gibson T.J. Clustal w: improving the sensitivity of progressive multiple sequence alignment through sequence weighting, position-specific gap penalties and weight matrix choice. Nucleic Acids Research 22 22 (1994) 4673-4680
29. Venkataraman S., Blum A., and Song D. Limits of learning-based signature generation with adversaries (2008), NDSS
30. Vulnerability vs. exploit signatures and ips. URL (2005). http://archives.neohapsis.com/archives/sf/ids/2005-q2/0130.html
31. Wang K, Cretu G, Stolfo SJ. Anomalous payload-based worm detection and signature generation. In: Recent Advances in Intrusion Detection (RAID); 2003.
32. Wang XF, Li Z, Xu J, Reiter MK, Kil C, Choi JY. Packet vaccine: black-box exploit detection and signature generation. In: The 13th ACM conference on computer and communications security; 2006. pp. 37-46.
33. Xu J, Ning P, Kil C, Zhai Y, Bookholt C. Automatic diagnosis and response to memory corruption vulnerabilities. In: The 12th ACM conference on computer and communications security; 2005. pp. 223-34.
34. Yegneswaran V, Giffin JT, Barford P, Jha S. An architecture for generating semantics-aware signatures. In: The 14th USENIX security symposium; 2005. pp. 97-112.