Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms...
-
Upload
mervin-nelson -
Category
Documents
-
view
221 -
download
0
Transcript of Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms...
![Page 1: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/1.jpg)
Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms
Computers & Security, Vol. 20, Page 827-842, Nov. 2009Authors : Yong Tang, Bin Xiao and Xicheng LuPresent : Jheng-Hen Jiang
2010/10/21 1
![Page 2: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/2.jpg)
Outline
Introduction Related Work Proposed Scheme Experiment Result Conclusions
2010/10/21 2
![Page 3: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/3.jpg)
Introduction
Currently available signature generation approach may fail to create accurate signatures from polymorphic worms. Some invariant parts in polymorphic
worms cannot be extracted. No approach takes into account all
distance restriction between invariant parts.
2010/10/21 3
![Page 4: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/4.jpg)
Related Work
Polymorphic Invariant bytes / Wildcard bytes
Signature Exploit-based / Vulnerability-base
Deployment Network-based / Host-based
2010/10/21 4
![Page 5: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/5.jpg)
Proposed Scheme(1/5)
2010/10/21 5
Multiple Sequence Alignment(MSA) – Primary library
A F E C D M O U G E X
F Q C S M R D O U GK
F Q C S M R D O U GK
A F E C D M O U G E X
3
3
X 1
X 1
X 0
X 0
X (-1)
X (-1)
7
6
2
4
+ ∑ enc |s|
3 X (S - 1)
3 X (S - 1)
1 =
-1 =
1 =
5 =
![Page 6: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/6.jpg)
Proposed Scheme(2/5)
2010/10/21 6
MSA – Library extension
![Page 7: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/7.jpg)
Proposed Scheme(3/5)
2010/10/21 7
MSA – Guide tree construction and progressive alignment
X A B
B 0.12 -
C 0.23 0.32
A
B
C
![Page 8: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/8.jpg)
Proposed Scheme(4/5)
2010/10/21 8
Noise elimination
![Page 9: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/9.jpg)
Proposed Scheme(5/5)
2010/10/21 9
Simplified Regular Expression(SRE) signature transformation
‘\x08’
‘\x25’
‘\x00’
‘\xFF’
‘\xAC’
‘\xAE’
‘\x2F’
‘\x5E’
‘\x3C’
‘\x64’
‘\xCB’
‘\x2A’
‘\x6F’
‘\x08’
‘\xFF’
‘\xAC’
‘\x2F’
‘\x5E’
‘\x3C’
‘\x64’
‘\x7A’
‘\x26’
‘\xEB’
‘\x68’
‘\x5C’
‘\x08’
‘\xFF’
‘\xAC’
‘\x2F’
‘\x5E’
‘\x3C’
‘\x64’
‘\x8B’
‘\xBA’
.* ‘\x08’ .[2] ‘\xFF\xAC’ .[1] ‘\x2F\x5E\x3C\x64’ .*
![Page 10: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/10.jpg)
Experiment Result(1/4)
2010/10/21 10
Signature quality
![Page 11: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/11.jpg)
Experiment Result(2/4)
2010/10/21 11
Worm sample needed
![Page 12: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/12.jpg)
Experiment Result(3/4)
2010/10/21 12
Noise toleration
![Page 13: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/13.jpg)
Experiment Result(4/4)
2010/10/21 13
![Page 14: Using a bioinformatics approach to generate accurate exploit-based signature for polymorphic worms Computers & Security, Vol. 20, Page 827-842, Nov. 2009.](https://reader036.fdocuments.net/reader036/viewer/2022062409/5697c0211a28abf838cd29d0/html5/thumbnails/14.jpg)
Conclusions Provided a more powerful method to
accurately analyze the intrinsic similarities of worm samples.
IDS can locally generate signatures and can be distributed to others to circumvent further worm damage.
This approach is noise-tolerant and the signatures are more accurate and precise than other method.
2010/10/21 14