This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Signature Tree Generation for Polymorphic Worms
April 2011 (vol. 60 no. 4)
pp. 565-579
ASCII Text
x 
 
Yong Tang, Bin Xiao, Xicheng Lu, "Signature Tree Generation for Polymorphic Worms," IEEE Transactions on Computers, vol. 60, no. 4, pp. 565-579, April, 2011.
 
 
BibTex
x
 
@article{ 10.1109/TC.2010.130,
author = {Yong Tang and Bin Xiao and Xicheng Lu},
title = {Signature Tree Generation for Polymorphic Worms},
journal ={IEEE Transactions on Computers},
volume = {60},
number = {4},
issn = {0018-9340},
year = {2011},
pages = {565-579},
doi = {http://doi.ieeecomputersociety.org/10.1109/TC.2010.130},
publisher = {IEEE Computer Society},
address = {Los Alamitos, CA, USA},
}
 
 
RefWorks Procite/RefMan/Endnote
x 
 
TY - JOUR
JO - IEEE Transactions on Computers
TI - Signature Tree Generation for Polymorphic Worms
IS - 4
SN - 0018-9340
SP565
EP579
EPD - 565-579
A1 - Yong Tang,
A1 - Bin Xiao,
A1 - Xicheng Lu,
PY - 2011
KW - Signature tree
KW - signature generation
KW - polymorphic worm
KW - sequence alignment.
VL - 60
JA - IEEE Transactions on Computers
ER -
 
Yong Tang, National University of Defense Technology, China
Bin Xiao, Hong Kong Polytechnic University, China
Xicheng Lu, National University of Defense Technology, China
Network-based signature generation (NSG) has been proposed as a way to automatically and quickly generate accurate signatures for worms, especially polymorphic worms. In this paper, we propose a new NSG system—PolyTree, to defend against polymorphic worms. We observe that signatures from worms and their variants are relevant and a tree structure can properly reflect their familial resemblance. Hence, in contrast to an isolated view of generated signatures in previous approaches, PolyTree organizes signatures extracted from worm samples into a tree structure, called signature tree, based on the formally defined "more specific” relation of simplified regular expression signatures. PolyTree is composed of two components, signature tree generator and signature selector. The signature tree generator implements an incremental signature tree generation algorithm from worm sample clustering, up-to-date signature refinement to efficient tree construction. The incremental signature tree construction gives insight on how the worm variants evolve over time and allows signature refinement upon a new worm sample arrival. The signature selector chooses a set of signatures for worm detection from a benign traffic pool and the current signature tree constructed by the signature tree generator. Experiments show that PolyTree cannot only generate accurate signatures for polymorphic worms with noise, but these signatures are well organized in the signature tree to reflect the inherent relations of worms and their variants.

[1] Y. Song, M.E. Locasto, A. Stavrou, A.D. Keromytis, and S.J. Stolfo, "On the Infeasibility of Modeling Polymorphic Shellcode," Proc. ACM Conf. Computer and Comm. Security (CCS), 2007.
[2] J.R. Crandall, S.F. Wu, and F.T. Chong, "Experiences Using Minos as a Tool for Capturing and Analyzing Novel Worms for Unknown Vulnerabilities," Proc. GI SIG SIDAR Conf. Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), 2005.
[3] J. Newsome, B. Karp, and D. Song, "Polygraph: Automatically Generating Signatures for Polymorphic Worms," Proc. 2005 IEEE Symp. Security and Privacy, pp. 226-241, 2005.
[4] C. Kreibich and J. Crowcroft, "Honeycomb—Creating Intrusion Detection Signatures Using Honeypots," Proc. Second Workshop Hot Topics in Networks (Hotnets II), 2003.
[5] H.A. Kim and B. Karp, "Autograph: Toward Automated, Distributed Worm Signature Detection," Proc. USENIX Security Symp., pp. 271-286, 2004.
[6] S. Singh, C. Estan, G. Varghese, and S. Savage, "Automated Worm Fingerprinting," Proc. Sixth USENIX Symp. Operating Systems Design and Implementation (OSDI), 2004.
[7] Z. Li, M. Sanghi, Y. Chen, M.Y. Kao, and B. Chavez, "Hamsa: Fast Signature Generation for Zero-Day Polymorphic Worms with Provable Attack Resilience," Proc. 2006 IEEE Symp. Security and Privacy, 2006.
[8] S. Kumar, S. Dharmapurikar, F. Yu, P. Crowley, and J. Turner, "Algorithms to Accelerate Multiple Regular Expressions Matching for Deep Packet Inspection," Proc. ACM SIGCOMM, vol. 36, pp. 339-350, 2006.
[9] K. Wang, G. Cretu, and S.J. Stolfo, "Anomalous Payload-Based Worm Detection and Signature Generation," Proc. Int'l Symp. Recent Advances in Intrusion Detection (RAID), 2003.
[10] J. Newsome, B. Karp, and D. Song, "Paragraph: Thwarting Signature Learning by Training Maliciously," Proc. Int'l Symp. Recent Advances in Intrusion Detection (RAID), pp. 81-105, 2006.
[11] J. Newsome and D. Song, "Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software," Proc. 12th Ann. Network and Distributed System Security Symp., 2005.
[12] J.R. Crandall and F.T. Chong, "Minos: Control Data Attack Prevention Orthogonal to Memory Model," Proc. 37th Ann. IEEE/ACM Int'l Symp. Microarchitecture, pp. 221-232, 2004.
[13] M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham, "Vigilante: End-to-End Containment of Internet Worms," Proc. ACM Symp. Operating Systems Principles, pp. 133-147, 2005.
[14] J.R. Crandall, Z. Su, S.F. Wu, and F.T. Chong, "On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits," Proc. 12th ACM Conf. Computer and Comm. Security, pp. 235-248, 2005.
[15] J. Xu, P. Ning, C. Kil, Y. Zhai, and C. Bookholt, "Automatic Diagnosis and Response to Memory Corruption Vulnerabilities," Proc. 12th ACM Conf. Computer and Comm. Security, pp. 223-234, 2005.
[16] Z. Liang and R. Sekar, "Automatic Generation of Buffer Overflow Attack Signatures: An Approach Based on Program Behavior Models," Proc. 21st Ann. Computer Security Applications Conf., pp. 215-224, 2005.
[17] Z. Liang and R. Sekar, "Fast and Automated Generation of Attack Signatures: A Basis for Building Self-Protecting Servers," Proc. 12th ACM Conf. Computer and Comm. Security, pp. 213-222, 2005.
[18] M.E. Locasto, K. Wang, D. Angelos, and J. Salvatore, "Flips: Hybrid Adaptive Intrusion Prevention," Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection, pp. 82-101, 2005.
[19] D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha, "Towards Automatic Generation of Vulnerability-Based Signatures," Proc. 2006 IEEE Symp. Security and Privacy, pp. 2-16, 2006.
[20] X.F. Wang, Z. Li, J. Xu, M.K. Reiter, C. Kil, and J.Y. Choi, "Packet Vaccine: Black-Box Exploit Detection and Signature Generation," Proc. 13th ACM Conf. Computer and Comm. Security, pp. 37-46, 2006.
[21] R. Perdisci, D. Dagon, W. Lee, P. Fogla, and M. Sharif, "Misleading Worm Signature Generators Using Deliberate Noise Injection," Proc. IEEE Symp. Security and Privacy, 2006.
[22] Z. Li, L. Wang, Y. Chen, and Z. Fu, "Network-Based and Attack-Resilient Length Signature Generation for Zero-Day Polymorphic Worms," Proc. 15th IEEE Int'l Conf. Network Protocols (ICNP '07), 2007.
[23] K. Wang and J. Salvatore, "Anomalous Payload-Based Network Intrusion Detection," Proc. Int'l Symp. Recent Advances in Intrusion Detection (RAID), pp. 203-222, 2004.
[24] R. Vargiya and P. Chan, "Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection," Proc. ICDM Workshop Data Mining for Computer Security (DMSEC), 2003.
[25] Y. Tang and S. Chen, "Defending against Internet Worms: A Signature-Based Approach," Proc. IEEE INFOCOM, 2005.
[26] V. Yegneswaran, P. Barford, and D. Plonka, "On the Design and Use of Internet Sinks for Network Abuse Monitoring," Proc. Int'l Symp. Recent Advances in Intrusion Detection (RAID), pp. 146-165, 2004.
[27] M. Bailey, E. Cooke, F. Jahanian, and J. Nazario, "The Internet Motion Sensor—a Distributed Blackhole Monitoring System," Proc. Network and Distributed System Security Symp. (NDSS), 2005.
[28] Y. Tang, H.P. Hu, X.C. Lu, and J. Wang, "Honids: Enhancing Honeypot System with Intrusion Detection Models," Proc. Fourth IEEE Int'l Workshop Information Assurance (IWIA '06), pp. 135-143, 2006.
[29] R. Sommer and V. Paxson, "Enhancing Byte-Level Network Intrusion Detection Signatures with Context," Proc. 10th ACM Conf. Computer and Comm. Security (CCS '03), pp. 262-271, 2003.
[30] Y. Tang, X. Lu, and B. Xiao, "Generating Simplified Regular Expression Signatures for Polymorphic Worms," Proc. Fourth Int'l Conf. Autonomic and Trusted Computing (ATC '07), 2007.
[31] Y. Tang, B. Xiao, and X. Lu, "Using a Bioinformatics Approach to Generate Accurate Exploit-Based Signatures for Polymorphic Worms," Computers & Security, vol. 28, pp. 827-842, 2009.
[32] R. Lippmann, J.W. Haines, D.J. Fried, J. Korba, and K. Das, "The 1999 DARPA Off-Line Intrusion Detection Evaluation," Computer Networks, vol. 34, no. 4, pp. 579-595, 2000.
[33] M. Steinbach, G. Karypis, and V. Kumar, "A Comparison of Document Clustering Techniques," Proc. KDD Workshop Text Mining, 2000.
[34] M. Schatz, C. Trapnell, A. Delcher, and A. Varshney, "High-Throughput Sequence Alignment Using Graphics Processing Units," BMC Bioinformatics, vol. 8, no. 1, 2007.
[35] S. Venkataraman, A. Blum, and D. Song, "Limits of Learning-Based Signature Generation with Adversaries," Proc. Network and Distributed System Security Symp. (NDSS), 2008.
[36] C. Kruegel, T. Toth, and E. Kirda, "Service Specific Anomaly Detection for Network Intrusion Detection," Proc. ACM Symp. Applied Computing (SAC '02), pp. 201-208, 2002.

Index Terms:
Signature tree, signature generation, polymorphic worm, sequence alignment.
Citation:
Yong Tang, Bin Xiao, Xicheng Lu, "Signature Tree Generation for Polymorphic Worms," IEEE Transactions on Computers, vol. 60, no. 4, pp. 565-579, April 2011, doi:10.1109/TC.2010.130
Usage of this product signifies your acceptance of the Terms of Use.