An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen;...
-
Upload
maximillian-banks -
Category
Documents
-
view
215 -
download
0
Transcript of An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen;...
An Automated Signature-Based Approach against
Polymorphic Internet WormsYong Tang; Shigang Chen;IEEE Transactions on Parallel and Distributed Systems, Vol. 18, No. 7, July 2007
1
Reporter: Luo Sheng-Yuan 2009/04/09
Outline
•Introduction
•Related Work
•Proposed Scheme
•Experiments Result
•Conclusion
2
Introduction
•Worms represent a major threat to the Internet.
•Polymorphism techniques that a worm may use to evade detection by the current defense systems.
•Position-Aware Distribution Signature (PADS)
•Compute PADS from a set of polymorphic worm samples.
3
Related Work
•Signature-based▫Longest Common Substrings
4
Payload 1
Payload 2
Related Work
•Anomaly-based▫Byte Frequency Distribution
5
Related Work
•Polymorphism Techniques▫Self-encryption▫Garbage-code Insertion▫Instruction-substitution▫Code-transposition▫Register-reassignment
6
Related Work
•Variants of a polymorphic worm
7
Proposed Scheme
•Position-Aware Distribution Signature (PADS)
8
Proposed Scheme
•Payload Matching against PADS
9
Payload Significant
Region
Proposed Scheme
•Compute PADS from captured worm samples▫Expectation-Maximization Algorithm
10
Sample 1
Sample 2
Sample n
Significant Region
Proposed Scheme
•Compute PADS from captured worm samples▫Gibbs Sampling Algorithm
11
Sample 1
Sample 2
Sample n
Experiments Result
•False Positives and False Negatives
12
Experiments Result
•Convergence of EM and Gibbs
13
Experiments Result
•Matching Time
14
Conclusion
•We propose iterative algorithms to calculate the signature from captured worm samples.
•Extensively experiments are performed on four worms to validate the proposed signature and its algorithms.
15
Comment
•Matching Time is bigger than traditional approaches.
•Artificially generate the variants of these worms based on some polymorphism techniques, but not including Self-encryption, Code-transposition, and Register-reassignment.
•Maybe, the iterative algorithms can replace by Genetic Algorithm.
16