Abstract
It is crucial to automatically generate accurate and effective signatures to defense against polymorphic worms. Previous work using conjunctions of tokens or token subsequence could lose some important information, like ignoring 1 byte token and neglecting the distances in the sequential tokens. In this paper we propose the Simplified Regular Expression (SRE) signature, and present its signature generation method based on the multiple sequence alignment algorithm. The multiple sequence alignment algorithm is extended from the pairwise sequence alignment algorithm, which encourages the contiguous substring extraction and is able to support wildcard string alignment and to preserve the distance of invariant content segment in generated SRE signatures. Thus, the generated SRE signature can express distance information for invariant content in polymorphic worms, which in turn makes even 1 byte invariant content extracted from polymorphic worms become valuable. Experiments on several types of polymorphic worms show that, compared with signatures generated by current network-based signature generation systems (NSGs), the generated SRE signatures are more accurate and precise to match polymorphic worms.
The work was partially supported by the National Basic Research Program of China (973) under Grant No. 2005CB321801, and the National Natural Science Foundation of China under Grant No. 90412011.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Kreibich, C., Crowcroft, J.: Honeycomb - creating intrusion detection signatures using honeypots. In: Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II), Boston (November 2003)
Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: USENIX Security Symposium, pp. 271–286 (2004)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proc. 6th USENIX OSDI, San Francisco, CA (December 2004)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy, pp. 226–241. IEEE Computer Society Press, Washington (2005)
Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM conference on Computer and communications security, pp. 235–248. ACM Press, New York (2005)
Li, Z., Sanghi, M., Chen, Y., Kao, M.-Y., Chavez, B.: Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P 2006), IEEE Computer Society Press, Washington (2006)
Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In: NDSS (2005)
Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: a basis for building self-protecting servers. In: CCS 2005: Proceedings of the 12th ACM conference on Computer and communications security, pp. 213–222. ACM Press, New York (2005)
Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic diagnosis and response to memory corruption vulnerabilities. In: CCS 2005: Proceedings of the 12th ACM conference on Computer and communications security, pp. 223–234. ACM Press, New York (2005)
Wang, X., Li, Z., Xu, J., Reiter, M.K., Kil, C., Choi, J.Y.: Packet vaccine: black-box exploit detection and signature generation. In: CCS 2006: Proceedings of the 13th ACM conference on Computer and communications security, pp. 37–46. ACM Press, New York (2006)
Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: CCS 2003: Proceedings of the 10th ACM conference on Computer and communications security, pp. 262–271. ACM Press, New York (2003)
Kumar, S., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings of ACM SIGCOMM 2006, vol. 36, pp. 339–350. ACM Press, New York (2006)
Tang, Y., Chen, S.: Defending against internet worms: A signature-based approach. In: Proceedings of the 24th Annual Conference IEEE INFOCOM 2005 (March 2005)
Gelfand, M.S., Mironov, A., Pevzner, P.: Gene recognition via splices sequence alignment. In: Proc. Natl. Acad. Sci. USA, pp. 9061–9066 (1996)
Goad, W.B., Kanehisa, M.I.: Pattern recognition in nucleic acid sequences: a general method for finding local homologies and symmetries. Nucleic Acids Research 10, 247–263 (1982)
Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 48, 443–453 (1970)
Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 darpa off-line intrusion detection evaluation. Comput. Networks 34(4), 579–595 (2000)
Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An Architecture for Generating Semantics-Aware Signatures. In: Proceedings of the 14th USENIX Security Symposium, Baltimore, MD, USA, pp. 97–112 (August 2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tang, Y., Lu, X., Xiao, B. (2007). Generating Simplified Regular Expression Signatures for Polymorphic Worms. In: Xiao, B., Yang, L.T., Ma, J., Muller-Schloer, C., Hua, Y. (eds) Autonomic and Trusted Computing. ATC 2007. Lecture Notes in Computer Science, vol 4610. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-73547-2_49
Download citation
DOI: https://doi.org/10.1007/978-3-540-73547-2_49
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-73546-5
Online ISBN: 978-3-540-73547-2
eBook Packages: Computer ScienceComputer Science (R0)