Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms

Li, Zhichun; Wang, Lanjia; Chen, Yan; Fu, Zhi

doi:10.1109/icnp.2007.4375847

Cited by 28 publications

(13 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…LESG is the only network-based system that relies on these vulnerabilities [9]. It relies on parsing the protocol to extract the fields and find the maximum field lengths that make the application vulnerable to a buffer overflow attack.…”

Section: B Related Workmentioning

confidence: 99%

Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches

Eskandari

Shajari

Asadi

2015

2015 7th Conference on Information and Knowledge Technology (IKT)

View full text Add to dashboard Cite

As modern worms spread quickly; any countermeasure based on human reaction is barely fast enough to thwart the threat. Moreover, because polymorphic worms could generate mutated instances, they are more complex than non-mutating ones. Currently, the content-based signature generation of polymorphic worms is a challenge for network security. Several signature classes have been proposed for polymorphic worms. Although previously proposed schemes consider patterns such as I-byte invariants and distance restrictions, they could not handle neither large payloads nor the big size pool of worm instances. Moreover, they are prone to noise injection attack. We proposed a method to combine two approaches of creating a polymorphic worm signature in a new way that avoid the limitation of both approaches. The proposedsignature generation scheme is based on token extraction and multiple sequence alignment, widely used in Bioinformatics. This approach provides speed, accuracy, and flexibility in terms of noise tolerance. The evaluations demonstrate these claims.

show abstract

Section: B Related Workmentioning

confidence: 99%

Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches

Eskandari

Shajari

Asadi

2015

2015 7th Conference on Information and Knowledge Technology (IKT)

View full text Add to dashboard Cite

show abstract

“…M-Grams parameter presets threshold for minimum length of signature. After reviewing the literature [22], [23], [24] and according to our experiments on Witty worm, the M-Grams value is set to 2 n (where 5 d n d 10), which means the signature length is between 32-1024 bytes.…”

Section: Subroutinementioning

confidence: 99%

An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature

Ramadass

Abdullah

Altaher

2011

2011 4th IEEE International Conference on Broadband Network and Multimedia Technology

View full text Add to dashboard Cite

Polymorphic worms evade network security systems by varying their payload every time an infection is attempted. The payload's variation operation is performed by using built-in self content encryptor. However, all encrypted payloads share the same invariant exploit code to ensure exploiting same vulnerability in same manner on all victims. This research paper is an endeavor to interpret the invariant part into signature. The basic idea of the proposed method is to assemble attacking payloads on a honeypot, and then extracting the worm's signature by using a matching technique. The experiments were conducted on two datasets, Witty worm's payloads and synthetic payloads, and have demonstrated promising results.

show abstract

“…Li et al [19] proposed Hamsa, a noise-tolerant and attackresilient network-based automated signature generation system for polymorphic worms. Approaches to generate vulnerabilitybased signatures [5], [20] were also proposed on the network level without any host-level analysis of execution. However, Chung et al [9] showed that all of these signature generation schemes are vulnerable to advanced allergy attacks.…”

Section: Related Workmentioning

confidence: 99%

Using instruction sequence abstraction for shellcode detection and attribution

Zhao

Ahn

2013

2013 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

Abstract-Although several research teams have focused on binary code injection, it is still an unsolved problem. Misuse-based detection lacks the flexibility to tackle unseen malicious code samples and anomaly-based detection on byte patterns is highly vulnerable to byte cramming and blending attacks. In addition, it is desperately needed to correlate newly-detected code injection instances with known samples for better understanding the attack events and tactically mitigating future threats. In this paper, we propose a technique for modeling shellcode detection and attribution through a novel feature extraction method, called instruction sequence abstraction, that extracts coarse-grained features from an instruction sequence. Our technique facilitates a Markovchain-based model for shellcode detection and support vector machines for encoded shellcode attribution. We also describe our experimental results on shellcode samples to demonstrate the effectiveness of our approach.

show abstract

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms

Cited by 28 publications

References 17 publications

Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches

Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches

An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature

Using instruction sequence abstraction for shellcode detection and attribution

Contact Info

Product

Resources

About