SAS: Semantics aware signature generation for polymorphic worm detection

International Journal of Information Security

Volumn 10, Issue 5, 2011, Pages 269-283

  Kong, Deguang ^a   Jhi, Yoon Chan ^b   Gong, Tao ^c   Zhu, Sencun ^b   Liu, Peng ^a   Xi, Hongsheng ^c  

^a PENNSYLVANIA STATE UNIVERSITY   (United States)

^b The Pennsylvania State University   (United States)

^c UNIVERSITY OF SCIENCE AND TECHNOLOGY OF CHINA   (China)

Author keywords

Data flow analysis; Hidden Markov model; Machine learning; Semantics; Worm signature generation

Indexed keywords

ADVERSARIAL ENVIRONMENTS; DATA FLOW; MACHINE-LEARNING; MATCHING TECHNIQUES; NOISE INJECTION; NOISY PACKETS; POLYMORPHIC WORMS; SEMANTIC ANALYSIS; SIGNATURE GENERATION; STATISTICAL ALGORITHM; WORM DETECTION; WORM SIGNATURES;

DATA TRANSFER; HIDDEN MARKOV MODELS; LAKES; NETWORK SECURITY; SEMANTICS;

DATA FLOW ANALYSIS;

EID: 80052922553     PISSN: 16155262     EISSN: 16155270     Source Type: Journal    
DOI: 10.1007/s10207-011-0132-7     Document Type: Article

References (41)

1. Jempiscodes-a polymorphic shellcode generator. http://www. shellcode. com. ar/en/proyectos. html.
2. Baecher, P., Koetter, M.: Getting around non-executable stack (and fix). http://www. libemu. carnivore. it/.
3. Bania, P.: Evading network-level emulation. http://www. packetstormsecurity. org/papers/bypass/pbania-evading-nemu2009. pdf.
4. Borders, K., Prakash, A., Zielinski, M.: Spector: automatically analyzing shell code. In: Proceedings of the 23rd Annual Computer Security Applications Conference, pp. 501-514 (2007).
5. Gu, B., Bai, X., Yang, Z., Adam, C., Xuan, D.: Malicious shellcode detection with virtual memory snapshots. In: Proceedings of IEEE International Conference on Computer Communications (IEEE INFOCOM) (2010).
6. Brumley, D., Caballero, J., Liang, Z., Newsome, J., Song, D.: Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In: Proceedings of the 16th USENIX Security (2007).
7. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (2005).
8. Chung, S. P., Mok, A. K.: Advanced allergy attacks: Does a corpus really help. In: Recent Advances in Intrusion Detection (RAID), pp. 236-255. Springer, Berlin (2007).
9. Collberg, C., Thomborson, C., Low, D.: A taxonomy of obfuscating transformations. In: Technical Report 148, University of Auckland (1997).
10. Detristan, T., Ulenspiegel, T., Malcom, Y., Superbus, M., Underduk, V.: Polymorphic shellcode engine using spectrum analysis. http://www. phrack. org/show. php?p=61&a=9.
11. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of The 15th USENIX Security Symposium (2006).
12. Forsell, M., Leppänen, V.: Mtpa-a processor architecture for mp-socs employing the moving threads paradigm. In: PDPTA, pp. 198-204 (2009).
13. Gundy, M. V., Balzarotti, D., Vigna, G.: Catch me, if you can: Evading network signatures with web-based polymorphic worms. In: Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT) Boston, MA (2007).
14. Gundy, M. V., Chen, H., Su, Z., Vigna, G.: Feature omission vulnerabilities: thwarting signature generation for polymorphic worms. In: Proceeding of Annual Computer Security Applications Conference (ACSAC) (2007).
15. Kc, G. S., Keromytis, A. D.: e-nexsh: achieving an effectively non-executable stack and heap via system-call policing. In: ACSAC, pp. 286-302 (2005).
16. Kim, H. A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th Usenix Security Symposium (2004).
17. Kreibich, C., Crowcroft, J.: Honeycomb: creating intrusion detection signatures using honeypots. In: Proceedings of the Workshop on Hot Topics in Networks (HotNets) (2003).
18. Krugel, C., Kirda, E.: Polymorphic worm detection using structural information of executables. In: 2005 International Symposium on Recent Advances in Intrusion Detecion (2005).
19. Krügel, C., Lippmann, R., Clark, A.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Recent Advances in Intrusion Detection, 10th International Symposium, Lecture Notes in Computer Science, vol. 4637. Springer, Berlin (2007).
20. Li, Z.: Hamsa code. http://www. zhichunli. org/.
21. Li, Z., Sanghi, M., Chen, Y., Kao, M. Y., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE Symposium on Security and Privacy (2006).
22. Liang, Z., Sekar, R.: Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. In: Proceedings of the Anual Computer Security Applications Conference (2005).
23. Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: A basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (2005).
24. Macaulay, S.: Admmutate: polymorphic shellcode engine. http://www. ktwo. ca/security. html.
25. Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: ACM Conference on Computer and Communications Security. ACM (2009).
26. Moore, H.: The metasploit project. http://www. metasploit. com.
27. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings of the 23rd Anual Computer Security Applications Conference (2007).
28. Newsome, J., Karp, B., Song, D.: Polygraph: automatic signature generation for polymorphic worms. In: IEEE Symposium on Security and Privacy (2005).
29. Newsome, J., Karp, B., Song, D.: Paragraph: thwarting signature learning by training maliciously. In: Recent Advances in Intrusion Detection (RAID), pp. 81-105. Springer, Berlin (2006).
30. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of Network and Distributed System Security Symposium (2005).
31. Pedro, N. D., Domingos, P., Sumit, M., Verma, S. D.: Adversarial classification. In: 10th ACM SIGKDD Conference On Knowledge Discovery and Data mining, pp. 99-108 (2004).
32. Perdisci, R., Dagon, D., Lee, W.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of The 2006 IEEE Symposium on Security and Privacy (2006).
33. Rabiner L. R.: A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257-286 (1999).
34. Ray, E.: Ms-sql worm. http://www. sans. org/resources/malwarefaq/ms-sql-exploit. php.
35. Singh S., Estan C., Varghese G., Savage S.: Earlybird System for Real-Time Detection of Unknown Worms, Technical Report. University of California at San Diego, San Diego (2003).
36. Smirnov, A., cker Chiueh, T.: Dira: Automatic detection, identification and repair of control-hijacking attacks. In: NDSS (2005).
37. Song, Y., Locasto, M. E., Stavrou, A., Keromytis, A. D., Stolfo, S. J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM conference on Computer and Communications Security(CCS), pp. 541-551 (2007).
38. Szor P.: The Art of Computer Virus Research and Defense, pp. 112-134. Addison Wesley, Upper Saddle River (2005).
39. Venkataraman, S., Blum, A., Song, D.: Limits of learning-based signature generation with adversaries. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008).
40. Wang, X., Jhi, Y. C., Zhu, S., Liu, P.: Still: exploit code detection via static taint and initialization analyses. In: Proceedings of Anual Computer Security Applications Conference (ACSAC) (2008).
41. Wang, X., Pan, C. C., Liu, P., Zhu, S.: Sigfree: a signature-free buffer overflow attack blocker. In: 15th Usenix Security Symposium (2006).