The Community for Technology Leaders
RSS Icon
Subscribe
Oakland, California
May 8, 2005 to May 11, 2005
ISBN: 0-7695-2339-0
pp: 226-241
James Newsome , Carnegie Mellon University
Brad Karp , Carnegie Mellon University
Dawn Song , Carnegie Mellon University
ABSTRACT
It is widely believed that content-signature-based intrusion detection systems (IDSes) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives.
INDEX TERMS
null
CITATION
James Newsome, Brad Karp, Dawn Song, "Polygraph: Automatically Generating Signatures for Polymorphic Worms", SP, 2005, 2012 IEEE Symposium on Security and Privacy, 2012 IEEE Symposium on Security and Privacy 2005, pp. 226-241, doi:10.1109/SP.2005.15
20 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool