Generating Simplified Regular Expression Signatures for Polymorphic Worms
نویسندگان
چکیده
It is crucial to automatically generate accurate and effective signatures to defense against polymorphic worms. Previous work using conjunctions of tokens or token subsequence could lose some important information, like ignoring 1 byte token and neglecting the distances in the sequential tokens. In this paper we propose the Simplified Regular Expression (SRE) signature, and present its signature generation method based on the multiple sequence alignment algorithm. The multiple sequence alignment algorithm is extended from the pairwise sequence alignment algorithm, which encourages the contiguous substring extraction and is able to support wildcard string alignment and to preserve the distance of invariant content segment in generated SRE signatures. Thus, the generated SRE signature can express distance information for invariant content in polymorphic worms, which in turn makes even 1 byte invariant content extracted from polymorphic worms become valuable. Experiments on several types of polymorphic worms show that, compared with signatures generated by current network-based signature generation systems (NSGs), the generated SRE signatures are more accurate and precise to match polymorphic worms.
منابع مشابه
Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms
In this paper, we propose Simplified Regular Expression (SRE) signature, which uses multiple sequence alignment techniques, drawn from bioinformatics, in a novel approach to generating more accurate exploit-based signatures. We also provide formal definitions of what is ‘‘a more specific’’ and what is ‘‘the most specific’’ signature for a polymorphic worm and show that the most specific exploit...
متن کاملPolymorphic Worms Detection Using A Supervised Machine Learning Technique
Polymorphic worms are considered as the most dangerous threats to the Internet security, and the danger lies in changing their payloads in every infection attempt to avoid the security systems. We have designed a novel doublehoneynet system, which is able to detect new worms that have not been seen before. To generate signatures for polymorphic worms we have two steps. The first step is the pol...
متن کاملAn Automated Signature Generation Approach for Polymorphic Worms Using Factor Analysis
Internet worms pose a major threat to Internet infrastructure security, and their destruction will be truly costly. Therefore, the networks must be protected as much as possible against such attacks. In this paper we propose automatic and accurate system for signature generation for unknown polymorphic worms. We have designed a novel double-honeynet system, which is able to detect new worms tha...
متن کاملCatch Me, If You Can: Evading Network Signatures with Web-based Polymorphic Worms
Polymorphic worms are self-replicating malware that change their representation as they spread throughout networks in order to evade worm detection systems. A number of approaches to detect polymorphicworms have been proposed. These approaches use samples of a polymorphic worm (and of benign traffic as well) to derive a signature that can detect all instances of the worm without producing exces...
متن کاملSurvey of Polymorphic Worm Signatures
Worms are self –replicating, fast moving malicious codes, capable of spreading themselves without human interaction. It’s a weapon of choice for those, who like to launch destructive attacks on network or internet as a whole. Recently there emerge more sophisticated worms such as polymorphic worm which vary their payload in every infection attempt. Polymorphic worms have more than one mutated i...
متن کامل