Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage

SpaCCS 2016: Security, Privacy, and Anonymity in Computation, Communication, and Storage pp 109–121Cite as

A Novel Signature Generation Approach in Noisy Environments for Detecting Polymorphic Worm

  • Conference paper
  • First Online:

  • 1361 Accesses

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10066))

Abstract

Polymorphic worms can change their patterns dynamically, that makes the generation of worm signatures a challenging task. In noisy environments the task is more difficult. In this paper, we propose a novel approach CGNRS to generate worm neighborhood-relation signatures (NRS) from suspicious flow pool with noisy sequences. CGNRS divides n sequences into m groups and each group contains 20 sequences. CGNRS identifies worm sequences for each group by adopting color coding and computing NRS. Then all identified worm sequences are used to generate NRS. We have carried out extensive experiments to evaluate the quality of signatures generated by CGNRS. In comparison with signatures generated by existing approaches, the experiment results show that NRS generated by our approaches can be used to detect effectively polymorphic worm when the suspicious flow pool contains noise sequences.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. Comput. Netw. 51(12), 3471–3490 (2007). Elsevier

    Article  MATH  Google Scholar 

  2. Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of ACM conference on Computer and communications security (CCS 2012), New Carolina, pp. 833–844, October 2012

    Google Scholar 

  3. Talbi, M., Mejri, M., Bouhoula, A.: Specification and evaluation of polymorphic shellcode properties using a new temporal logic. J. Comput. Virol. 5(3), 171–186 (2009)

    Article  Google Scholar 

  4. Stephenson, B., Sikdar, B.: A quasi-species approach for modeling the dynamics of polymorphic worm. In: IEEE Infocom, Barcelona, Catalunya, pp. 1–12 (2006)

    Google Scholar 

  5. Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo, S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, pp. 541–551 (2007)

    Google Scholar 

  6. Tang, Y., Xiao, B., Lu, X.: Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. Comput. Secur. 28, 827–842 (2009). Elsevier, Available online 17 June 2009

    Article  Google Scholar 

  7. Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)

    Article  Google Scholar 

  8. Wang, J., Wang, J.X., Chen, J.E., Zhang, X.: An automated signature generation approach for polymorphic worm based on color coding. In: IEEE ICC 2009, Dresden, Germany, pp. 1–6 (2009)

    Google Scholar 

  9. Tang, Y., Xiao, B., Lu, X.: Signature tree generation for polymorphic worms. IEEE Trans. Comput. 60(4), 565–579 (2011)

    Article  MathSciNet  Google Scholar 

  10. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of 15th USENix Security Symposium, Vancouver, B.C., Canada, pp. 241–256 (2006)

    Google Scholar 

  11. Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of 2006 IEEE Symposium on Security and Privacy, Atlanta, GA, USA, pp. 17–31 (2006)

    Google Scholar 

  12. Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci, A.: Combining supervised and unsupervised learning for zero-day malware detection. In: Proceedings of 32nd Annual IEEE International Conference on Computer Communications (INFOCOM 2013), Turin, Italy, pp. 2022–2030, April 2013

    Google Scholar 

  13. Portokalidis, G., Bos, H.: SweetBait: zero-hour worm detection and containment using low- and high-interaction honeypots. Comput. Netw. 51(11), 1256–1274 (2007)

    Article  MATH  Google Scholar 

  14. Ranjan, S., Shah, S., Nucci, A., Munafo, M., Cruz, R., Muthukrishnan, S.: DoWitcher: effective worm detection and containment in the internet core. In: IEEE Infocom, Anchorage, Alaska, pp. 2541–2545 (2007)

    Google Scholar 

  15. Cai, M., Hwang, K., Pan, J., Christos, P.: WormShield: fast worm signature generation with distributed fingerprint aggregation. IEEE Trans. Dependable Secure Comput. 5(2), 88–104 (2007)

    Article  Google Scholar 

  16. Newsome, J., Karp, B., Song, D.: Polygraph: automatically generation signatures for polymorphic worms. In: Proceedings of 2005 IEEE Symposium on Security and Privacy Symposium, Oakland, California, pp. 226–241 (2005)

    Google Scholar 

  17. Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of IEEE Symposium on Security and Privacy, Washington, DC, pp. 32–47 (2006)

    Google Scholar 

  18. Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: LISABETH: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, Leipzig, Germany, pp. 41–48 (2008)

    Google Scholar 

  19. Bayoglu, B., Sogukpinar, L.: Polymorphic worm detection using token-pair signatures. In: Proceedings of the 4th International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Sorrento, Italy, pp. 7–12 (2008)

    Google Scholar 

  20. Bayoglu, B., Sogukpinar, L.: Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw. 56(2), 832–844 (2012)

    Article  Google Scholar 

  21. Wang, J., Wang, J.X., Sheng, Y., Chen, J.E.: Polymorphic worm detection using signatures based on neighborhood relation. In: Proceedings of the 11th IEEE International Conference on High Performance Computing and Communications, pp. 347–353 (2009)

    Google Scholar 

  22. CERT Advisory CA-2003-20: W32/Blaster worm, Computer Emergency Response Team (2003). http://www.cert.org/advisories/CA-2003-20.html

  23. Leder, F., Werner, T.: Know your enemy: containing conficker to tame a Malware. The Honeynet Project (2009). http://honeynet.org

  24. Tang, Y., Chen, S.: An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18, 879–892 (2007)

    Article  Google Scholar 

Download references

Acknowledgment

This work is supported by National Natural Science Foundation of China under Grant No. 61202495 and No. 61573379.

Author information

Authors and Affiliations

  1. School of Information Science and Engineering, Central South University, Changsha, 410083, China

    Jie Wang

  2. College of Science and Technology, Temple Unversity, Philadelphia, Pennsylvania, 19122, USA

    Jie Wu

Authors
  1. Jie Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jie Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jie Wang .

Editor information

Editors and Affiliations

  1. Guangzhou University, Guangzhou, China

    Guojun Wang

  2. Department of Computer Science, Colorado State University, Fort Collins, Colorado, USA

    Indrakshi Ray

  3. University of the West of Scotland, Paisley, Glasgow, United Kingdom

    Jose M. Alcaraz Calero

  4. Indian Institute of Information Technology and Management, Kerala (IIITMK), Trivandrum, Kerala, India

    Sabu M. Thampi

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Wang, J., Wu, J. (2016). A Novel Signature Generation Approach in Noisy Environments for Detecting Polymorphic Worm. In: Wang, G., Ray, I., Alcaraz Calero, J., Thampi, S. (eds) Security, Privacy, and Anonymity in Computation, Communication, and Storage. SpaCCS 2016. Lecture Notes in Computer Science(), vol 10066. Springer, Cham. https://doi.org/10.1007/978-3-319-49148-6_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-49148-6_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-49147-9

  • Online ISBN: 978-3-319-49148-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation