Abstract
Polymorphic worms can change their patterns dynamically, that makes the generation of worm signatures a challenging task. In noisy environments the task is more difficult. In this paper, we propose a novel approach CGNRS to generate worm neighborhood-relation signatures (NRS) from suspicious flow pool with noisy sequences. CGNRS divides n sequences into m groups and each group contains 20 sequences. CGNRS identifies worm sequences for each group by adopting color coding and computing NRS. Then all identified worm sequences are used to generate NRS. We have carried out extensive experiments to evaluate the quality of signatures generated by CGNRS. In comparison with signatures generated by existing approaches, the experiment results show that NRS generated by our approaches can be used to detect effectively polymorphic worm when the suspicious flow pool contains noise sequences.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. Comput. Netw. 51(12), 3471–3490 (2007). Elsevier
Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of ACM conference on Computer and communications security (CCS 2012), New Carolina, pp. 833–844, October 2012
Talbi, M., Mejri, M., Bouhoula, A.: Specification and evaluation of polymorphic shellcode properties using a new temporal logic. J. Comput. Virol. 5(3), 171–186 (2009)
Stephenson, B., Sikdar, B.: A quasi-species approach for modeling the dynamics of polymorphic worm. In: IEEE Infocom, Barcelona, Catalunya, pp. 1–12 (2006)
Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, pp. 541–551 (2007)
Tang, Y., Xiao, B., Lu, X.: Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. Comput. Secur. 28, 827–842 (2009). Elsevier, Available online 17 June 2009
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)
Wang, J., Wang, J.X., Chen, J.E., Zhang, X.: An automated signature generation approach for polymorphic worm based on color coding. In: IEEE ICC 2009, Dresden, Germany, pp. 1–6 (2009)
Tang, Y., Xiao, B., Lu, X.: Signature tree generation for polymorphic worms. IEEE Trans. Comput. 60(4), 565–579 (2011)
Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of 15th USENix Security Symposium, Vancouver, B.C., Canada, pp. 241–256 (2006)
Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of 2006 IEEE Symposium on Security and Privacy, Atlanta, GA, USA, pp. 17–31 (2006)
Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci, A.: Combining supervised and unsupervised learning for zero-day malware detection. In: Proceedings of 32nd Annual IEEE International Conference on Computer Communications (INFOCOM 2013), Turin, Italy, pp. 2022–2030, April 2013
Portokalidis, G., Bos, H.: SweetBait: zero-hour worm detection and containment using low- and high-interaction honeypots. Comput. Netw. 51(11), 1256–1274 (2007)
Ranjan, S., Shah, S., Nucci, A., Munafo, M., Cruz, R., Muthukrishnan, S.: DoWitcher: effective worm detection and containment in the internet core. In: IEEE Infocom, Anchorage, Alaska, pp. 2541–2545 (2007)
Cai, M., Hwang, K., Pan, J., Christos, P.: WormShield: fast worm signature generation with distributed fingerprint aggregation. IEEE Trans. Dependable Secure Comput. 5(2), 88–104 (2007)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generation signatures for polymorphic worms. In: Proceedings of 2005 IEEE Symposium on Security and Privacy Symposium, Oakland, California, pp. 226–241 (2005)
Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of IEEE Symposium on Security and Privacy, Washington, DC, pp. 32–47 (2006)
Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: LISABETH: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, Leipzig, Germany, pp. 41–48 (2008)
Bayoglu, B., Sogukpinar, L.: Polymorphic worm detection using token-pair signatures. In: Proceedings of the 4th International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Sorrento, Italy, pp. 7–12 (2008)
Bayoglu, B., Sogukpinar, L.: Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw. 56(2), 832–844 (2012)
Wang, J., Wang, J.X., Sheng, Y., Chen, J.E.: Polymorphic worm detection using signatures based on neighborhood relation. In: Proceedings of the 11th IEEE International Conference on High Performance Computing and Communications, pp. 347–353 (2009)
CERT Advisory CA-2003-20: W32/Blaster worm, Computer Emergency Response Team (2003). http://www.cert.org/advisories/CA-2003-20.html
Leder, F., Werner, T.: Know your enemy: containing conficker to tame a Malware. The Honeynet Project (2009). http://honeynet.org
Tang, Y., Chen, S.: An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18, 879–892 (2007)
Acknowledgment
This work is supported by National Natural Science Foundation of China under Grant No. 61202495 and No. 61573379.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Wang, J., Wu, J. (2016). A Novel Signature Generation Approach in Noisy Environments for Detecting Polymorphic Worm. In: Wang, G., Ray, I., Alcaraz Calero, J., Thampi, S. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2016. Lecture Notes in Computer Science(), vol 10066. Springer, Cham. https://doi.org/10.1007/978-3-319-49148-6_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-49148-6_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49147-9
Online ISBN: 978-3-319-49148-6
eBook Packages: Computer ScienceComputer Science (R0)