Autograph: toward automated, distributed worm signature detection. Today’s Internet intrusion detection systems (IDSes) monitor edge networks’ DMZs to identify and/or filter malicious flows. While an IDS helps protect the hosts on its local edge network from compromise and denial of service, it cannot alone effectively intervene to halt and reverse the spreading of novel Internet worms. Generation of the worm signatures required by an IDS--the byte patterns sought in monitored traffic to identify worms--today entails non-trivial human labor, and thus significant delay: as network operators detect anomalous behavior, they communicate with one another and manually study packet traces to produce a worm signature. Yet intervention must occur early in an epidemic to halt a worm’s spread. Autograph is a system that automatically generates signatures for novel Internet worms that propagate using TCP transport. It does so by by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level. It is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives); our evaluation of the system on real DMZ traces validates that it achieves these goals. Autograph also shares port scan reports among distributed monitor instances; using trace-driven simulation of a worm outbreak, we’ve demonstrated the value of this technique in speeding the generation of signatures for novel worms. Our results elucidate the fundamental trade-off between early generation of signatures for novel worms and the specificity of these generated signatures.

References in zbMATH (referenced in 16 articles )

Showing results 1 to 16 of 16.
Sorted by year (citations)

  1. Qi, Biao; Shi, Zhixin; Wang, Yan; Wang, Jizhi; Wang, Qiwen; Jiang, Jianguo: BotTokenizer: exploring network tokens of HTTP-based botnet using malicious network traces (2018)
  2. Barreno, Marco; Nelson, Blaine; Joseph, Anthony D.; Tygar, J. D.: The security of machine learning (2010)
  3. Kencl, Lukas; Loebl, Martin: DNA-inspired information concealing: a survey (2010)
  4. Song, Yingbo; Locasto, Michael E.; Stavrou, Angelos; Keromytis, Angelos D.; Stolfo, Salvatore J.: On the infeasibility of modeling polymorphic shellcode. Re-thinking the role of learning in intrusion detection systems (2010)
  5. Tahan, Gil; Glezer, Chanan; Elovici, Yuval; Rokach, Lior: Auto-sign: an automatic signature generator for high-speed malware filtering devices (2010) ioport
  6. Zhang, Guangsen; Parashar, Manish: Cooperative detection and protection against network attacks using decentralized information sharing (2010) ioport
  7. Ha, Duc T.; Ngo, Hung Q.: On the trade-off between speed and resiliency of flash worms and similar malcodes (2009) ioport
  8. Szabó, Géza; Veres, András; Molnár, Sándor: On the impacts of human interactions in MMORPG traffic (2009) ioport
  9. Jiang, Xuxian; Zhu, Xingquan: Veye: Behavioral footprinting for self-propagating worm detection and profiling (2008) ioport
  10. Jung, Jaeyeon; Milito, Rodolfo A.; Paxson, Vern: On the adaptive real-time detection of fast-propagating network worms. (2008) ioport
  11. Anagnostakis, Kostas G.; Greenwald, Michael B.; Ioannidis, Sotiris; Keromytis, Angelos D.: COVERAGE: Detecting and reacting to worm epidemics using cooperation and validation (2007) ioport
  12. Masud, Mohammad M.; Khan, Latifur; Thuraisingham, Bhavani: A scalable multi-level feature extraction technique to detect malicious executables (2007) ioport
  13. Ondi, Attila; Ford, Richard: How good is good enough? metrics for worm/anti-worm evaluation. (2007) ioport
  14. Polychronakis, Michalis; Anagnostakis, Kostas G.; Markatos, Evangelos P.: Network-level polymorphic shellcode detection using emulation. (2007) ioport
  15. Rieck, Konrad; Laskov, Pavel: Language models for detection of unknown attacks in network traffic. (2007) ioport
  16. Van Oorschot, Paul C.; Robert, Jean-Marc; Martin, Miguel Vargas: A monitoring system for detecting repeated packets with applications to computer worms (2006) ioport