Skip to main content
SpringerLink
Log in

SAS: semantics aware signature generation for polymorphic worm detection

  • Special Issue Paper
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains a challenging problem. For example, attackers can freely manipulate byte distributions within the attack payloads and thus inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel Semantics Aware Statistical algorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a hidden Markov model (HMM) to the refined data to generate state-transition-graph-based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks compared to Polygraph and Hamsa.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Similar content being viewed by others

References

  1. Jempiscodes—a polymorphic shellcode generator. http://www.shellcode.com.ar/en/proyectos.html

  2. Baecher, P., Koetter, M.: Getting around non-executable stack (and fix). http://www.libemu.carnivore.it/

  3. Bania, P.: Evading network-level emulation. http://www.packetstormsecurity.org/papers/bypass/pbania-evading-nemu2009.pdf

  4. Borders, K., Prakash, A., Zielinski., M.: Spector: automatically analyzing shell code. In: Proceedings of the 23rd Annual Computer Security Applications Conference, pp. 501–514 (2007)

  5. Gu, B., Bai, X., Yang, Z., Adam, C., Xuan, D.: Malicious shellcode detection with virtual memory snapshots. In: Proceedings of IEEE International Conference on Computer Communications (IEEE INFOCOM) (2010)

  6. Brumley, D., Caballero, J., Liang, Z., Newsome, J., Song., D.: Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In: Proceedings of the 16th USENIX Security (2007)

  7. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-aware malware detection. In: 2005 IEEE Symposium on Security and Privacy (2005)

  8. Chung, S.P., Mok, A.K.: Advanced allergy attacks: Does a corpus really help. In: Recent Advances in Intrusion Detection (RAID), pp. 236–255. Springer, Berlin (2007)

  9. Collberg, C., Thomborson, C., Low., D.: A taxonomy of obfuscating transformations. In: Technical Report 148, University of Auckland (1997)

  10. Detristan, T., Ulenspiegel, T., Malcom, Y., Superbus, M., Underduk, V.: Polymorphic shellcode engine using spectrum analysis. http://www.phrack.org/show.php?p=61&a=9

  11. Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of The 15th USENIX Security Symposium (2006)

  12. Forsell, M., Leppänen, V.: Mtpa—a processor architecture for mp-socs employing the moving threads paradigm. In: PDPTA, pp. 198–204 (2009)

  13. Gundy, M.V., Balzarotti, D., Vigna, G.: Catch me, if you can: Evading network signatures with web-based polymorphic worms. In: Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT) Boston, MA (2007)

  14. Gundy, M.V., Chen, H., Su, Z., Vigna, G.: Feature omission vulnerabilities: thwarting signature generation for polymorphic worms. In: Proceeding of Annual Computer Security Applications Conference (ACSAC) (2007)

  15. Kc, G.S., Keromytis, A.D.: e-nexsh: achieving an effectively non-executable stack and heap via system-call policing. In: ACSAC, pp. 286–302 (2005)

  16. Kim, H.A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th Usenix Security Symposium (2004)

  17. Kreibich, C., Crowcroft., J.: Honeycomb: creating intrusion detection signatures using honeypots. In: Proceedings of the Workshop on Hot Topics in Networks (HotNets) (2003)

  18. Krugel, C., Kirda, E.: Polymorphic worm detection using structural information of executables. In: 2005 International Symposium on Recent Advances in Intrusion Detecion (2005)

  19. Krügel, C., Lippmann, R., Clark, A.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Recent Advances in Intrusion Detection, 10th International Symposium, Lecture Notes in Computer Science, vol. 4637. Springer, Berlin (2007)

  20. Li, Z.: Hamsa code. http://www.zhichunli.org/

  21. Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE Symposium on Security and Privacy (2006)

  22. Liang, Z., Sekar., R.: Automatic generation of buffer overflow attack signatures: An approach based on program behavior models. In: Proceedings of the Anual Computer Security Applications Conference (2005)

  23. Liang, Z., Sekar., R.: Fast and automated generation of attack signatures: A basis for building self-protecting servers. In: Proceedings of the 12th ACM Conference on Computer and Communications Security (2005)

  24. Macaulay, S.: Admmutate: polymorphic shellcode engine. http://www.ktwo.ca/security.html

  25. Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: ACM Conference on Computer and Communications Security. ACM (2009)

  26. Moore, H.: The metasploit project. http://www.metasploit.com

  27. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings of the 23rd Anual Computer Security Applications Conference (2007)

  28. Newsome, J., Karp, B., Song, D.: Polygraph: automatic signature generation for polymorphic worms. In: IEEE Symposium on Security and Privacy (2005)

  29. Newsome, J., Karp, B., Song, D.: Paragraph: thwarting signature learning by training maliciously. In: Recent Advances in Intrusion Detection (RAID), pp. 81–105. Springer, Berlin (2006)

  30. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of Network and Distributed System Security Symposium (2005)

  31. Pedro, N.D., Domingos, P., Sumit, M., Verma, S.D.: Adversarial classification. In: 10th ACM SIGKDD Conference On Knowledge Discovery and Data mining, pp. 99–108 (2004)

  32. Perdisci, R., Dagon, D., Lee, W.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of The 2006 IEEE Symposium on Security and Privacy (2006)

  33. Rabiner L.R.: A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE 77(2), 257–286 (1999)

    Article  Google Scholar 

  34. Ray, E.: Ms-sql worm. http://www.sans.org/resources/malwarefaq/ms-sql-exploit.php

  35. Singh S., Estan C., Varghese G., Savage S.: Earlybird System for Real-Time Detection of Unknown Worms, Technical Report. University of California at San Diego, San Diego (2003)

    Google Scholar 

  36. Smirnov, A., cker Chiueh, T.: Dira: Automatic detection, identification and repair of control-hijacking attacks. In: NDSS (2005)

  37. Song, Y., Locasto, M.E., Stavrou, A., Keromytis, A.D., Stolfo., S.J.: On the infeasibility of modeling polymorphic shellcode. In: Proceedings of the 14th ACM conference on Computer and Communications Security(CCS), pp. 541–551 (2007)

  38. Szor P.: The Art of Computer Virus Research and Defense, pp. 112–134. Addison Wesley, Upper Saddle River (2005)

    Google Scholar 

  39. Venkataraman, S., Blum, A., Song., D.: Limits of learning-based signature generation with adversaries. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)

  40. Wang, X., Jhi, Y.C., Zhu, S., Liu, P.: Still: exploit code detection via static taint and initialization analyses. In: Proceedings of Anual Computer Security Applications Conference (ACSAC) (2008)

  41. Wang, X., Pan, C.C., Liu, P., Zhu, S.: Sigfree: a signature-free buffer overflow attack blocker.In: 15th Usenix Security Symposium (2006)

Download references

Author information

Authors and Affiliations

  1. College of Information Science and Technology, The Pennsylvania State University, University Park, PA, USA

    Deguang Kong & Peng Liu

  2. Department of Computer Science and Engineering, The Pennsylvania State University, University Park, PA, USA

    Yoon-Chan Jhi & Sencun Zhu

  3. Department of Automation, University of Science and Technology of China, Hefei, China

    Tao Gong & Hongsheng Xi

Authors
  1. Deguang Kong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yoon-Chan Jhi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tao Gong
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sencun Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Hongsheng Xi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Deguang Kong.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kong, D., Jhi, YC., Gong, T. et al. SAS: semantics aware signature generation for polymorphic worm detection. Int. J. Inf. Secur. 10, 269–283 (2011). https://doi.org/10.1007/s10207-011-0132-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-011-0132-7

Keywords

Search

Navigation