Polygraph: automatically generating signatures for polymorphic worms. It is widely believed that content-signature-based intrusion detection systems (IDS) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives.

References in zbMATH (referenced in 17 articles )

Showing results 1 to 17 of 17.
Sorted by year (citations)

  1. Qi, Biao; Shi, Zhixin; Wang, Yan; Wang, Jizhi; Wang, Qiwen; Jiang, Jianguo: BotTokenizer: exploring network tokens of HTTP-based botnet using malicious network traces (2018)
  2. Corona, Igino; Giacinto, Giorgio; Roli, Fabio: Adversarial attacks against intrusion detection systems: taxonomy, solutions and open issues (2013) ioport
  3. Zhang, Jun; Xiang, Yang; Zhou, Wanlei; Wang, Yu: Unsupervised traffic classification using flow statistical properties and IP packet payload (2013) ioport
  4. Barreno, Marco; Nelson, Blaine; Joseph, Anthony D.; Tygar, J. D.: The security of machine learning (2010) ioport
  5. Laskov, Pavel; Lippmann, Richard: Machine learning in adversarial environments (2010) ioport
  6. Song, Yingbo; Locasto, Michael E.; Stavrou, Angelos; Keromytis, Angelos D.; Stolfo, Salvatore J.: On the infeasibility of modeling polymorphic shellcode re-thinking the role of learning in intrusion detection systems (2010) ioport
  7. Tahan, Gil; Glezer, Chanan; Elovici, Yuval; Rokach, Lior: Auto-sign: an automatic signature generator for high-speed malware filtering devices (2010) ioport
  8. Talbi, Mehdi; Mejri, Mohamed; Bouhoula, Adel: Specification and evaluation of polymorphic shellcode properties using a new temporal logic (2009) ioport
  9. Barr, Stanley J.; Cardman, Samuel J.; Martin, David M.: A boosting ensemble for the recognition of code sharing in malware. (2008) ioport
  10. Jiang, Xuxian; Zhu, Xingquan: Veye: Behavioral footprinting for self-propagating worm detection and profiling (2008) ioport
  11. Wang, Lanjia; Duan, Haixin; Li, Xing: Dynamic emulation based modeling and detection of polymorphic shellcode at the network level (2008) ioport
  12. Anagnostakis, Kostas G.; Greenwald, Michael B.; Ioannidis, Sotiris; Keromytis, Angelos D.: COVERAGE: Detecting and reacting to worm epidemics using cooperation and validation (2007) ioport
  13. Masud, Mohammad M.; Khan, Latifur; Thuraisingham, Bhavani: A scalable multi-level feature extraction technique to detect malicious executables (2007) ioport
  14. Ondi, Attila; Ford, Richard: How good is good enough? metrics for worm/anti-worm evaluation. (2007) ioport
  15. Polychronakis, Michalis; Anagnostakis, Kostas G.; Markatos, Evangelos P.: Network-level polymorphic shellcode detection using emulation. (2007) ioport
  16. Rieck, Konrad; Laskov, Pavel: Language models for detection of unknown attacks in network traffic. (2007) ioport
  17. Van Oorschot, Paul C.; Robert, Jean-Marc; Martin, Miguel Vargas: A monitoring system for detecting repeated packets with applications to computer worms (2006) ioport