An Automated Signature-Based Approach against

Polymorphic Internet WormsYong Tang; Shigang Chen;IEEE Transactions on Parallel and Distributed Systems, Vol. 18, No. 7, July 2007

1

Reporter: Luo Sheng-Yuan 2009/04/09

Outline

•Introduction

•Related Work

•Proposed Scheme

•Experiments Result

•Conclusion

2

Introduction

•Worms represent a major threat to the Internet.

•Polymorphism techniques that a worm may use to evade detection by the current defense systems.

•Position-Aware Distribution Signature (PADS)

•Compute PADS from a set of polymorphic worm samples.

3

Related Work

•Signature-based▫Longest Common Substrings

4

Payload 1

Payload 2

Related Work

•Anomaly-based▫Byte Frequency Distribution

5

Related Work

•Polymorphism Techniques▫Self-encryption▫Garbage-code Insertion▫Instruction-substitution▫Code-transposition▫Register-reassignment

6

Related Work

•Variants of a polymorphic worm

7

Proposed Scheme

•Position-Aware Distribution Signature (PADS)

8

Proposed Scheme

•Payload Matching against PADS

9

Payload Significant

Region

Proposed Scheme

•Compute PADS from captured worm samples▫Expectation-Maximization Algorithm

10

Sample 1

Sample 2

Sample n

Significant Region

Proposed Scheme

•Compute PADS from captured worm samples▫Gibbs Sampling Algorithm

11

Sample 1

Sample 2

Sample n

Experiments Result

•False Positives and False Negatives

12

Experiments Result

•Convergence of EM and Gibbs

13

Experiments Result

•Matching Time

14

Conclusion

•We propose iterative algorithms to calculate the signature from captured worm samples.

•Extensively experiments are performed on four worms to validate the proposed signature and its algorithms.

15

Comment

•Matching Time is bigger than traditional approaches.

•Artificially generate the variants of these worms based on some polymorphism techniques, but not including Self-encryption, Code-transposition, and Register-reassignment.

•Maybe, the iterative algorithms can replace by Genetic Algorithm.

16