TY - GEN
T1 - SAS
T2 - 6th International Conference on Security and Privacy in Communication Networks, SecureComm 2010
AU - Kong, Deguang
AU - Jhi, Yoon Chan
AU - Gong, Tao
AU - Zhu, Sencun
AU - Liu, Peng
AU - Xi, Hongsheng
PY - 2010
Y1 - 2010
N2 - String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains challenging. For example, attackers can freely manipulate byte distributions within the attack payloads and also can inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel Semantics Aware Statistical algorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a Hidden Markov Model (HMM) to the refined data to generate state-transition-graph based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks comparing to Polygraph and Hamsa.
AB - String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains challenging. For example, attackers can freely manipulate byte distributions within the attack payloads and also can inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel Semantics Aware Statistical algorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a Hidden Markov Model (HMM) to the refined data to generate state-transition-graph based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks comparing to Polygraph and Hamsa.
UR - http://www.scopus.com/inward/record.url?scp=84869597546&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84869597546&partnerID=8YFLogxK
U2 - 10.1007/978-3-642-16161-2_1
DO - 10.1007/978-3-642-16161-2_1
M3 - Conference contribution
AN - SCOPUS:84869597546
SN - 364216160X
SN - 9783642161605
T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
SP - 1
EP - 19
BT - Security and Privacy in Communication Networks - 6th Iternational ICST Conference, SecureComm 2010, Proceedings
Y2 - 7 September 2010 through 9 September 2010
ER -