Abstract
With lack of diversity in platforms and softwares running in Internet-attached hosts, Internet worms can spread all over the world in just a few minutes. Many researchers suggest the signature-based Network Intrusion Detection System(NIDS) to defend the network against it. However, the polymorphic worm evolved from the traditional Internet worm was devised to evade signature-based detection schemes, which actually makes NIDS useless. Some schemes are proposed for detecting it, but they have some shortcomings such as belated detection and huge overhead.
In this paper, we propose a new system, called PolyI-D, that detects the polymorphic worm through some tests based on instruction distribution in real-time with little overhead. This is particularly suitable even for fast spread and continuously mutated worms.
This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Assessment).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
DeTristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.V.: Polymorphic shellcode engine using spectrum analysis (2003), http://www.phrack.org/show.php?p=61&a=9
Macaulay, S.: Admmutate: Polymorphic shellcode engine (2001), http://www.ktwo.ca/security.html
Kolesnikov, M., Lee, W.: Advanced polymorphic worms: evading ids by blending in with normal traffic. Technical report, Georgia Tech College of Computing (2004)
Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, Berkeley, CA, USA, pp. 149–167. USENIX Association (2002)
Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on Computer and Communications Security (CCS), Washington, DC, USA, pp. 138–147. ACM Press, New York (2002)
Venkataraman, S., Song, D., Gibbons, P., Blum, A.: New streaming algorithms for fast detection of superspreaders. In: Network and Distributied System Symposium (NDSS) (2005)
Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium (2004)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Network and Distributed System Symposium (NDSS) (2005)
Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levin, J., Owen, H.: Honeystat: local worm detection using honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 39–58. Springer, Heidelberg (2004)
Williamson, M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), Washington, DC, USA, p. 61. IEEE Computer Society Press, Los Alamitos (2002)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of annual joint conference of the IEEE Computer and Communications Societies (INFOCOM), San Fancisco, CA, IEEE Computer Society Press, Los Alamitos (2003)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceeding of 6th symposium on Operating System Design and Implementation (OSDI) (2004)
Kim, H.A., Autograph, B.K.: Autograph: Toward automated, distributed worm signature detection. In: Proceeding of 13th USENIX Security Symposium (2004)
Stampf, N.: Worms of the future: trying to exorcise the worst (2003)
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium (2003)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2005)
Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)
Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.: Stride: Polymorphic sled detection through instruction sequence analysis. In: 20th IFIP International Information Security Conference. IFIP TC11 20th International Information Security Conference, May 30 – June 1, 2005. IFIP International Federation for Information Processing, vol. 181, Springer, Boston (2005)
One, A.: Smashing the stack for fun and profit (1996), http://www.phrack.org/show.php?p=49&a=14
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer Berlin Heidelberg
About this paper
Cite this paper
Lee, K.H., Kim, Y., Hong, S.J., Kim, J. (2007). PolyI-D: Polymorphic Worm Detection Based on Instruction Distribution . In: Lee, J.K., Yi, O., Yung, M. (eds) Information Security Applications. WISA 2006. Lecture Notes in Computer Science, vol 4298. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71093-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-71093-6_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-71092-9
Online ISBN: 978-3-540-71093-6
eBook Packages: Computer ScienceComputer Science (R0)