SAS: Semantics aware signature generation for polymorphic worm detection

Deguang Kong, Yoon Chan Jhi, Tao Gong, Sencun Zhu, Peng Liu, Hongsheng Xi

Research output: Chapter in Book/Report/Conference proceedingConference contribution

8 Scopus citations

Abstract

String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains challenging. For example, attackers can freely manipulate byte distributions within the attack payloads and also can inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel Semantics Aware Statistical algorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a Hidden Markov Model (HMM) to the refined data to generate state-transition-graph based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks comparing to Polygraph and Hamsa.

Original languageEnglish (US)
Title of host publicationSecurity and Privacy in Communication Networks - 6th Iternational ICST Conference, SecureComm 2010, Proceedings
Pages1-19
Number of pages19
DOIs
StatePublished - 2010
Event6th International Conference on Security and Privacy in Communication Networks, SecureComm 2010 - Singapore, Singapore
Duration: Sep 7 2010Sep 9 2010

Publication series

NameLecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering
Volume50 LNICST
ISSN (Print)1867-8211

Other

Other6th International Conference on Security and Privacy in Communication Networks, SecureComm 2010
Country/TerritorySingapore
CitySingapore
Period9/7/109/9/10

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications

Fingerprint

Dive into the research topics of 'SAS: Semantics aware signature generation for polymorphic worm detection'. Together they form a unique fingerprint.

Cite this