Polygraph

Polygraph: automatically generating signatures for polymorphic worms. It is widely believed that content-signature-based intrusion detection systems (IDS) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives.

Keywords for this software

Anything in here will be replaced on browsers that support the canvas element

References in zbMATH (referenced in 17 articles )

Showing results 1 to 17 of 17.
Sorted by year (citations)

  1. Qi, Biao; Shi, Zhixin; Wang, Yan; Wang, Jizhi; Wang, Qiwen; Jiang, Jianguo: BotTokenizer: exploring network tokens of HTTP-based botnet using malicious network traces (2018)
  2. Corona, Igino; Giacinto, Giorgio; Roli, Fabio: Adversarial attacks against intrusion detection systems: taxonomy, solutions and open issues (2013) ioport
  3. Zhang, Jun; Xiang, Yang; Zhou, Wanlei; Wang, Yu: Unsupervised traffic classification using flow statistical properties and IP packet payload (2013) ioport
  4. Barreno, Marco; Nelson, Blaine; Joseph, Anthony D.; Tygar, J. D.: The security of machine learning (2010)
  5. Laskov, Pavel; Lippmann, Richard: Machine learning in adversarial environments (2010)
  6. Song, Yingbo; Locasto, Michael E.; Stavrou, Angelos; Keromytis, Angelos D.; Stolfo, Salvatore J.: On the infeasibility of modeling polymorphic shellcode. Re-thinking the role of learning in intrusion detection systems (2010)
  7. Tahan, Gil; Glezer, Chanan; Elovici, Yuval; Rokach, Lior: Auto-sign: an automatic signature generator for high-speed malware filtering devices (2010) ioport
  8. Talbi, Mehdi; Mejri, Mohamed; Bouhoula, Adel: Specification and evaluation of polymorphic shellcode properties using a new temporal logic (2009) ioport
  9. Barr, Stanley J.; Cardman, Samuel J.; Martin, David M.: A boosting ensemble for the recognition of code sharing in malware. (2008) ioport
  10. Jiang, Xuxian; Zhu, Xingquan: Veye: Behavioral footprinting for self-propagating worm detection and profiling (2008) ioport
  11. Wang, Lanjia; Duan, Haixin; Li, Xing: Dynamic emulation based modeling and detection of polymorphic shellcode at the network level (2008) ioport
  12. Anagnostakis, Kostas G.; Greenwald, Michael B.; Ioannidis, Sotiris; Keromytis, Angelos D.: COVERAGE: Detecting and reacting to worm epidemics using cooperation and validation (2007) ioport
  13. Masud, Mohammad M.; Khan, Latifur; Thuraisingham, Bhavani: A scalable multi-level feature extraction technique to detect malicious executables (2007) ioport
  14. Ondi, Attila; Ford, Richard: How good is good enough? metrics for worm/anti-worm evaluation. (2007) ioport
  15. Polychronakis, Michalis; Anagnostakis, Kostas G.; Markatos, Evangelos P.: Network-level polymorphic shellcode detection using emulation. (2007) ioport
  16. Rieck, Konrad; Laskov, Pavel: Language models for detection of unknown attacks in network traffic. (2007) ioport
  17. Van Oorschot, Paul C.; Robert, Jean-Marc; Martin, Miguel Vargas: A monitoring system for detecting repeated packets with applications to computer worms (2006) ioport