Presentation is loading. Please wait.

Presentation is loading. Please wait.

POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

Published byMerryl Small Modified over 6 years ago

Similar presentations

Presentation on theme: "POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms"— Presentation transcript:

1 POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Authors: James Newsome, Brad Karp, Dawn Song PUBLICATION: IEEE Security and Privacy Symposium, May 2005 CLASS PRESENTATION BY: Anvita Priyam

2 Intrusion Detection Systems(IDS)
POLYGRAPH Intrusion Detection Systems(IDS) > Monitor networking traffic for suspicious activity > Alert the system or administrator > May block user or source IP Signature based IDS > monitors packets on the n/w & compares them against database of signatures > lag in case of a new threat

3 Currently Used Techniques By IDS
POLYGRAPH Currently Used Techniques By IDS > string matching at arbitrary payload offsets > string matching at fixed payload offsets > matching of regular expressions within a flow’s payload

4 > changes its appearance with every instance
POLYGRAPH Polymorphic Worm > changes its appearance with every instance > byte sequences of worm instances vary > code remains the same Mechanism > encrypt the code with a random key > generate a short decryptor(PD) > PD and the key keep changing

5 Motivation for automating signatures
POLYGRAPH Motivation for automating signatures > earlier, signatures were generated manually > slow paced

6 Polygraph comes into picture
> signatures consist of multiple disjoint content substring > substrings: protocol framing, return addresses, poorly obfuscated code > often present in all variants of a payload PS: It does not consider single substring signature

7 Underlying Assumption
POLYGRAPH Underlying Assumption > possible to generate signatures automatically that match the many variants of PW > offer low false positives and low false negatives BASIS > share invariant content as they exploit same vulnerability

8 Sources of Invariant Content
POLYGRAPH Sources of Invariant Content > Exploit Framing( e.g., reserved keywords, binary constants that are part of wire protocol) > Exploit Payload

9 Signature Classes for PW > Conjunction Signatures
POLYGRAPH Signature Classes for PW > Conjunction Signatures > Token Subsequence Signature > Bayes Signature

10 Conjunction Signatures > signature consists of a set of tokens
POLYGRAPH Conjunction Signatures > signature consists of a set of tokens > all the tokens must match > order of matching is not particular

11 Token-subsequence Signatures > consists of ordered set of tokens
POLYGRAPH Token-subsequence Signatures > consists of ordered set of tokens > identical ordering is required for a match > can be easily expressed as regular expressions > more specific compared to conjunction signature

12 Bayes Signature > associated with a score and an overall threshold
POLYGRAPH Bayes Signature > associated with a score and an overall threshold > instead of exact matching it provides probabilistic matching > construction and matching is less rigid

13 ARCHITECTURE POLYGRAPH Suspicious Flow Pool Flow N/W PSG classifier
tap Innocuous Flow Pool Signature Evaluator

14 > Signature quality
POLYGRAPH Design Goals > Signature quality > Efficient signature generation > Efficient signature matching > Generation of small signature sets > Robustness against noise and multiple worms > Robustness against evasion and subversion

15 Signature Generation Algorithms
POLYGRAPH Signature Generation Algorithms > Pre-processing: Token extraction > first step to eliminate irrelevant parts > extract all distinct substrings of min length > Generating single signatures > for conjunction signature just use token extraction, signature is this set of tokens > for token subsequence signature find a subsequence of tokens that is present in sample. Iteratively apply string alignment

16 Signature Generation Algo( cont’d) > for bayes signature
POLYGRAPH Signature Generation Algo( cont’d) > for bayes signature > choose set of tokens > calculate empirical probability of occurrence > each token is then assigned a score > if greater than threshold classified as worm

17 Generating Multiple Signatures > Bayes signature remains unmodified
POLYGRAPH Generating Multiple Signatures > Bayes signature remains unmodified > Token subsequence and conjunction algos require clustering

18 Experimental Results > Single Polymorphic worm
POLYGRAPH Experimental Results > Single Polymorphic worm > Apache-Knacker Exploit > Conjunction signatures( .0024% False+,0% False-) > Token-subsequence(.0008% False+,0% False-) > Bayes signatures(.008% False+,0% False-) > BIND-TSIG Exploit > Conjunction signatures(0% False+ & False-) > Token-Subsequence(0% False+ & False-) > Bayes Signatures(.0023% False+,0% False-)

19 Experimental Results (cont’d)
POLYGRAPH Experimental Results (cont’d) > Single polymorphic worm & noise > conjunction & token subsequence signatures remain the same > Bayes signatures are not affected by noise until it grows beyond 80% > Multiple polymorphic worms & noise > conjunction & token subsequence signatures are generated for each type of worm. > only one bayes signature is generated that matches all the worms.

20 > content based filtering holds great promise for
POLYGRAPH CONCLUSION > content based filtering holds great promise for tackling PW > Polygraph automatically derives signatures for PW > It generates high quality signatures even in the presence of multiple flows and noise > rumors of demise of content based filtering is exaggerated

21 > very little insight into how PWs function
POLYGRAPH WEAKNESS > very little insight into how PWs function > payload invariance assumptions are naïve > no clear reference to situational applications of signature generation algorithms

22 > should be more informative on initial topics
POLYGRAPH SUGGESTIONS > should be more informative on initial topics > a wider range of studies required

Download ppt "POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms"

Similar presentations

Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia.

Smarter Searching for a Network Packet Database William (Bill) Kenworthy School of Information Technology Murdoch University Perth, Western Australia.
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.

Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome *, Brad Karp *†, and Dawn Song * † Intel Research Pittsburgh * Carnegie.
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 2010/10/25.

11 Packet Sampling for Worm and Botnet Detection in TCP Connections Reporter: 林佳宜 /10/25.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.

 Looked at some research approaches to: o Evaluate defense effectiveness o Stop worm from spreading from a given host o Defend a circle of friends against.
Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.

Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience Zhichun Li, Manan Sanghi, Yan Chen, Ming-Yang Kao and Brian.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.

Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)

Big Data Analytics and Challenge Presented by Saurabh Rastogi Asst. Prof. in Maharaja Agrasen Institute of Technology B.Tech(IT), M.Tech(IT)
General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.

General approach to exploit detection and signature generation White-box  Need the source code Gray-box  More accurate. But need to monitor a program's.
Chapter 9 Classification And Forwarding. Outline.

Chapter 9 Classification And Forwarding. Outline.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
WAC/ISSCI 20061 Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.

WAC/ISSCI Automated Anomaly Detection Using Time-Variant Normal Profiling Jung-Yeop Kim, Utica College Rex E. Gantenbein, University of Wyoming.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Silvio Cesare Ph.D. Candidate, Deakin University.

Silvio Cesare Ph.D. Candidate, Deakin University.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.

Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.
Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.
Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.

Sampling Techniques to Accelerate Pattern Matching in Network Intrusion Detection Systems Author: Domenico Ficara, Gianni Antichi, Andrea Di Pietro, Stefano.

Similar presentations

Ads by Google