Hamsa

Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate signatures in the early stages of infection. Most existing approaches for automatic signature generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph (J. Newsome et al., 2005) in terms of efficiency, accuracy, and attack resilience


References in zbMATH (referenced in 5 articles )

Showing results 1 to 5 of 5.
Sorted by year (citations)

  1. Qi, Biao; Shi, Zhixin; Wang, Yan; Wang, Jizhi; Wang, Qiwen; Jiang, Jianguo: BotTokenizer: exploring network tokens of HTTP-based botnet using malicious network traces (2018)
  2. Corona, Igino; Giacinto, Giorgio; Roli, Fabio: Adversarial attacks against intrusion detection systems: taxonomy, solutions and open issues (2013) ioport
  3. Laskov, Pavel; Lippmann, Richard: Machine learning in adversarial environments (2010)
  4. Szabó, Géza; Veres, András; Molnár, Sándor: On the impacts of human interactions in MMORPG traffic (2009) ioport
  5. Polychronakis, Michalis; Anagnostakis, Kostas G.; Markatos, Evangelos P.: Network-level polymorphic shellcode detection using emulation. (2007) ioport