The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.09 - September (2009 vol.58)
pp: 1289-1296
Bradley Stephenson , MITRE Corporation, McLean and Rensselaer Polytechnic Institute, Troy
ABSTRACT
Polymorphic computer worms are characterized by their ability to change their byte sequence as they replicate and propagate, thereby aiming to thwart intrusion detection systems (IDSes). In this letter, we propose a model based on coevolution of biological quasi-species to characterize the propagation of polymorphic worms and the effect of IDSes on their dynamics. The model is used to derive the conditions required for the IDS to contain the worm. The model is validated using simulations.
INDEX TERMS
Network security, computer virus and worms, modeling techniques.
CITATION
Bradley Stephenson, "A Quasi-Species Model for the Propagation and Containment of Polymorphic Worms", IEEE Transactions on Computers, vol.58, no. 9, pp. 1289-1296, September 2009, doi:10.1109/TC.2009.63
REFERENCES
[1] J. Crandall et al., “On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits,” Proc. ACM Computer and Comm. Security (CCS), pp. 235-248, 2005.
[2] C. Kruegel et al., “Polymorphic Worm Detection Using Structural Information of Executables,” Proc. Recent Advances in Intrusion Detection (RAID), pp. 207-226, 2005.
[3] Z. Li et al., “Hamsa: Fast Signature Generation for Zero-Day Polymorphic Worms with Provable Attack Resilience,” Proc. IEEE Symp. Security and Privacy (S&P), pp. 32-47, 2006.
[4] J. Newsome, B. Karp, and D. Song, “Polygraph: Automatically Generating Signatures for Polymorphic Worms,” Proc. IEEE Symp. Security and Privacy (S&P), pp. 226-241, 2005.
[5] Y. Tang and S. Chen, “Defending Against Internet Worms: A Signature-Based Approach,” Proc. IEEE INFOCOM, pp. 1384-1393, 2005.
[6] J. Wang, I. Hamadeh, G. Kesidis, and D. Miller, “Polymorphic Worm Detection and Defense: System Design, Experimental Methodology, and Data Resources,” Proc. ACM Large Scale Attack Defense Workshop, pp. 169-176, 2006.
[7] A. Pasupulati et al., “Buttercup: On Network-Based Detection of Polymorphic Buffer Overflow Vulnerabilities,” Proc. IEEE/IFIP Network Operations and Management Systems (NOMS), pp. 235-248, 2004.
[8] M. Polychronakis, K. Anagnostakis, and E. Markatos, “Network-Level Polymorphic Shellcode Detection Using Emulation,” J. Computer Virology, vol. 2, no. 4, pp. 257-274, Feb. 2007.
[9] P. Fogla et al., “Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,” Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp., p. 17, 2006.
[10] R. Perdisci et al., “Misleading Worm Signature Generators Using Deliberate Noise Injection,” Proc. IEEE Symp. Security and Privacy (S&P), pp. 17-31, 2006.
[11] J. Newsome, B. Karp, and D. Song, “Paragraph: Thwarting Signature Learning by Training Maliciously,” Proc. Recent Advances in Intrusion Detection (RAID), pp. 81-105, 2006.
[12] Z. Chen, L. Gao, and K. Kwait, “Modeling the Spread of Active Worms,” Proc. IEEE INFOCOM, pp. 1890-1900, 2003.
[13] C. Zou, D. Towsley, and W. Gong, “Modeling and Simulation Study of the Propagation and Defense of Internet Email Worm,” IEEE Trans. Dependable and Secure Computing, vol. 4, no. 2, pp. 105-118, Apr. 2007.
[14] D. Moore, C. Shannon, and K. Claffy, “Code Red: A Case Study on the Spread and Victims of an Internet Worm,” Proc. Internet Measurement Workshop (IMW), pp. 273-284, 2002.
[15] D. Moore et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code,” Proc. IEEE INFOCOM, pp. 1901-1910, 2003.
[16] G. Vigna et al., “Testing Network-Based Intrusion Detection Signatures Using Mutant Exploits,” Proc. ACM Computer and Comm. Security (CCS), pp.21-30, 2004.
[17] J. Tucek et al., “Sweeper: A Lightweight End-to-End System for Defending Against Fast Worms,” Proc. European Professional Soc. for Systems (EuroSys) Conf., pp. 115-128, 2007.
[18] J. Jung, R. Milito, and V. Paxson, “On the Adaptive Real-Time Detection of Fast-Propagating Network Worms,” Proc. Detection of Intrusions and Malware and Vulnerabillity Assessment (DIMVA), pp. 175-192, 2007.
[19] N. Weaver, S. Staniford, and V. Paxson, “Very Fast Containment of Scanning Worms,” Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp., pp. 29-44, 2004.
[20] H. Kim and B. Karp, “Autograph: Toward Automated, Distributed Worm Signature Detection,” Proc. Advanced Computing Systems Assoc. (USENIX) Sec. Symp., pp. 271-286, 2004.
[21] H. Yin et al., “Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis,” Proc. ACM Computer and Comm. Security (CCS), pp. 116-127, 2007.
[22] K. Wang, G. Cretu, and S. Stolfo, “Anomalous Payload-Based Worm Detection and Signature Generation,” Proc. Recent Advances in Intrusion Detection (RAID), pp. 227-246, 2006.
[23] M. Nilsson and N. Snoad, “Error Thresholds for Quasispecies on Dynamic Fitness Landscapes,” Physical Rev. Letters, vol. 84, no. 1, pp. 191-194, Jan. 2000.
[24] C. Kamp and S. Bornholdt, “Coevolution of Quasispecies: B-Cell Mutation Rates Maximize Viral Error Catastrophes,” Physical Rev. Letters, vol. 88, no. 6, pp. 068104.1-068104.4, Feb. 2002.
[25] C. Nachenberg, “Computer Virus-Antivirus Coevolution,” Comm. ACM, vol. 40, no. 1, pp. 46-51, Jan. 1997.
[26] D. Brumley et al., “Towards Automatic Generation of Vulnerability-Based Signatures,” Proc. IEEE Symp. Security and Privacy (S&P), pp. 2-16, 2006.
[27] M. Chouchane, A. Walenstein, and A. Lakhotia, “Statistical Signatures for Fast Filtering of Instruction-Substituting Metamorphic Malware,” Proc. ACM Workshop Recurring Malcode (WORM), 2007.
[28] S. Chung and A. Mok, “Allergy Attack against Automatic Signature Generation,” Proc. Recent Advances in Intrusion Detection (RAID), pp. 61-80, Sept. 2006.
[29] B. Stephenson and B. Sikdar, “A Quasi-Species Approach for Modeling the Dynamics of Polymorphic Worms,” Proc. IEEE INFOCOM, pp. 1-12, 2006.
[30] S. Staniford, V. Paxson, and N. Weaver, “How to Own the Internet in Your Spare Time,” Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp., pp. 149-167, 2002.
[31] K2, ADMmutate, http://www.ktwo.ca/cADMmutate-0.8.4.tar.gz , 2009.
21 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool