This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
A Quasi-Species Model for the Propagation and Containment of Polymorphic Worms
September 2009 (vol. 58 no. 9)
pp. 1289-1296
Bradley Stephenson, MITRE Corporation, McLean and Rensselaer Polytechnic Institute, Troy
Biplab Sikdar, Rensselaer Polytechnic Institute, Troy
Polymorphic computer worms are characterized by their ability to change their byte sequence as they replicate and propagate, thereby aiming to thwart intrusion detection systems (IDSes). In this letter, we propose a model based on coevolution of biological quasi-species to characterize the propagation of polymorphic worms and the effect of IDSes on their dynamics. The model is used to derive the conditions required for the IDS to contain the worm. The model is validated using simulations.

[1] J. Crandall et al., “On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits,” Proc. ACM Computer and Comm. Security (CCS), pp. 235-248, 2005.
[2] C. Kruegel et al., “Polymorphic Worm Detection Using Structural Information of Executables,” Proc. Recent Advances in Intrusion Detection (RAID), pp. 207-226, 2005.
[3] Z. Li et al., “Hamsa: Fast Signature Generation for Zero-Day Polymorphic Worms with Provable Attack Resilience,” Proc. IEEE Symp. Security and Privacy (S&P), pp. 32-47, 2006.
[4] J. Newsome, B. Karp, and D. Song, “Polygraph: Automatically Generating Signatures for Polymorphic Worms,” Proc. IEEE Symp. Security and Privacy (S&P), pp. 226-241, 2005.
[5] Y. Tang and S. Chen, “Defending Against Internet Worms: A Signature-Based Approach,” Proc. IEEE INFOCOM, pp. 1384-1393, 2005.
[6] J. Wang, I. Hamadeh, G. Kesidis, and D. Miller, “Polymorphic Worm Detection and Defense: System Design, Experimental Methodology, and Data Resources,” Proc. ACM Large Scale Attack Defense Workshop, pp. 169-176, 2006.
[7] A. Pasupulati et al., “Buttercup: On Network-Based Detection of Polymorphic Buffer Overflow Vulnerabilities,” Proc. IEEE/IFIP Network Operations and Management Systems (NOMS), pp. 235-248, 2004.
[8] M. Polychronakis, K. Anagnostakis, and E. Markatos, “Network-Level Polymorphic Shellcode Detection Using Emulation,” J. Computer Virology, vol. 2, no. 4, pp. 257-274, Feb. 2007.
[9] P. Fogla et al., “Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic,” Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp., p. 17, 2006.
[10] R. Perdisci et al., “Misleading Worm Signature Generators Using Deliberate Noise Injection,” Proc. IEEE Symp. Security and Privacy (S&P), pp. 17-31, 2006.
[11] J. Newsome, B. Karp, and D. Song, “Paragraph: Thwarting Signature Learning by Training Maliciously,” Proc. Recent Advances in Intrusion Detection (RAID), pp. 81-105, 2006.
[12] Z. Chen, L. Gao, and K. Kwait, “Modeling the Spread of Active Worms,” Proc. IEEE INFOCOM, pp. 1890-1900, 2003.
[13] C. Zou, D. Towsley, and W. Gong, “Modeling and Simulation Study of the Propagation and Defense of Internet Email Worm,” IEEE Trans. Dependable and Secure Computing, vol. 4, no. 2, pp. 105-118, Apr. 2007.
[14] D. Moore, C. Shannon, and K. Claffy, “Code Red: A Case Study on the Spread and Victims of an Internet Worm,” Proc. Internet Measurement Workshop (IMW), pp. 273-284, 2002.
[15] D. Moore et al., “Internet Quarantine: Requirements for Containing Self-Propagating Code,” Proc. IEEE INFOCOM, pp. 1901-1910, 2003.
[16] G. Vigna et al., “Testing Network-Based Intrusion Detection Signatures Using Mutant Exploits,” Proc. ACM Computer and Comm. Security (CCS), pp.21-30, 2004.
[17] J. Tucek et al., “Sweeper: A Lightweight End-to-End System for Defending Against Fast Worms,” Proc. European Professional Soc. for Systems (EuroSys) Conf., pp. 115-128, 2007.
[18] J. Jung, R. Milito, and V. Paxson, “On the Adaptive Real-Time Detection of Fast-Propagating Network Worms,” Proc. Detection of Intrusions and Malware and Vulnerabillity Assessment (DIMVA), pp. 175-192, 2007.
[19] N. Weaver, S. Staniford, and V. Paxson, “Very Fast Containment of Scanning Worms,” Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp., pp. 29-44, 2004.
[20] H. Kim and B. Karp, “Autograph: Toward Automated, Distributed Worm Signature Detection,” Proc. Advanced Computing Systems Assoc. (USENIX) Sec. Symp., pp. 271-286, 2004.
[21] H. Yin et al., “Panorama: Capturing System-Wide Information Flow for Malware Detection and Analysis,” Proc. ACM Computer and Comm. Security (CCS), pp. 116-127, 2007.
[22] K. Wang, G. Cretu, and S. Stolfo, “Anomalous Payload-Based Worm Detection and Signature Generation,” Proc. Recent Advances in Intrusion Detection (RAID), pp. 227-246, 2006.
[23] M. Nilsson and N. Snoad, “Error Thresholds for Quasispecies on Dynamic Fitness Landscapes,” Physical Rev. Letters, vol. 84, no. 1, pp. 191-194, Jan. 2000.
[24] C. Kamp and S. Bornholdt, “Coevolution of Quasispecies: B-Cell Mutation Rates Maximize Viral Error Catastrophes,” Physical Rev. Letters, vol. 88, no. 6, pp. 068104.1-068104.4, Feb. 2002.
[25] C. Nachenberg, “Computer Virus-Antivirus Coevolution,” Comm. ACM, vol. 40, no. 1, pp. 46-51, Jan. 1997.
[26] D. Brumley et al., “Towards Automatic Generation of Vulnerability-Based Signatures,” Proc. IEEE Symp. Security and Privacy (S&P), pp. 2-16, 2006.
[27] M. Chouchane, A. Walenstein, and A. Lakhotia, “Statistical Signatures for Fast Filtering of Instruction-Substituting Metamorphic Malware,” Proc. ACM Workshop Recurring Malcode (WORM), 2007.
[28] S. Chung and A. Mok, “Allergy Attack against Automatic Signature Generation,” Proc. Recent Advances in Intrusion Detection (RAID), pp. 61-80, Sept. 2006.
[29] B. Stephenson and B. Sikdar, “A Quasi-Species Approach for Modeling the Dynamics of Polymorphic Worms,” Proc. IEEE INFOCOM, pp. 1-12, 2006.
[30] S. Staniford, V. Paxson, and N. Weaver, “How to Own the Internet in Your Spare Time,” Proc. Advanced Computing Systems Assoc. (USENIX) Security Symp., pp. 149-167, 2002.
[31] K2, ADMmutate, http://www.ktwo.ca/cADMmutate-0.8.4.tar.gz , 2009.

Index Terms:
Network security, computer virus and worms, modeling techniques.
Citation:
Bradley Stephenson, Biplab Sikdar, "A Quasi-Species Model for the Propagation and Containment of Polymorphic Worms," IEEE Transactions on Computers, vol. 58, no. 9, pp. 1289-1296, Sept. 2009, doi:10.1109/TC.2009.63
Usage of this product signifies your acceptance of the Terms of Use.