Computer Security Applications Conference, Annual (2007)
Miami Beach, Florida, USA
Dec. 10, 2007 to Dec. 14, 2007
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/ACSAC.2007.42
To combat the rapid infection rate of today's Internet worms, signatures for novel worms must be generated soon after an outbreak. This is especially critical in the case of polymorphic worms, whose binary representa- tion changes frequently during the infection process. In this paper, we examine the assumptions under- lying two leading network-based signature generation systems for polymorphic worms: Polygraph  and Hamsa . By identifying an assumption of both sys- tems not met by all vulnerabilities, we discover a class of vulnerabilities (feature omission vulnerabilities) that neither system can accurately characterize. We demon- strate the limitations of Polygraph and Hamsa by testing the signatures that they generate for exploits targeting a feature omission vulnerability. We discuss why feature omission vulnerabilities are difficult to characterize and how increased semantic awareness can help the signa- ture generation process.
Hao Chen, Zhendong Su, Matthew Van Gundy, Giovanni Vigna, "Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms", Computer Security Applications Conference, Annual, vol. 00, no. , pp. 74-85, 2007, doi:10.1109/ACSAC.2007.42