The Community for Technology Leaders
2012 IEEE Symposium on Security and Privacy (2005)
Oakland, California
May 8, 2005 to May 11, 2005
ISSN: 1081-6011
ISBN: 0-7695-2339-0
pp: 226-241
James Newsome , Carnegie Mellon University
Dawn Song , Carnegie Mellon University
Brad Karp , Carnegie Mellon University
ABSTRACT
It is widely believed that content-signature-based intrusion detection systems (IDSes) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives.
INDEX TERMS
null
CITATION
James Newsome, Dawn Song, Brad Karp, "Polygraph: Automatically Generating Signatures for Polymorphic Worms", 2012 IEEE Symposium on Security and Privacy, vol. 00, no. , pp. 226-241, 2005, doi:10.1109/SP.2005.15
98 ms
(Ver )