Abstract
New features of the PAYL anomalous payload detection sensor are demonstrated to accurately detect and generate signatures for zero-day worms. Experimental evidence demonstrates that site-specific packet content models are capable of detecting new worms with high accuracy in a collaborative security system. A new approach is proposed that correlates ingress/egress payload alerts to identify the worm’s initial propagation. The method also enables automatic signature generation that can be deployed immediately to network firewalls and content filters to proactively protect other hosts. We also propose a collaborative privacy-preserving security strategy whereby different hosts can exchange PAYL signatures to increase accuracy and mitigate against false positives. The important principle demonstrated is that correlating multiple alerts identifies true positives from the set of anomaly alerts and reduces incorrect decisions producing accurate mitigation.
This work has been partially supported by a grant with the Army Research Office/DHS, No. DA W911NF-04-1-0442 and an SBIR subcontract with the HS ARPA division of the Department of Homeland Security.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bhatkar, S., DuVarney, D.C., Sekar, R.: Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. In: 12th USENIX Security Symposium (2003)
Damashek, M.: Gauging similarity with n-grams: language independent categorization of text. Science 267(5199), 843–848 (1995)
Gusfield, D.: Algorithms on Strings, Trees and Sequences. Cambridge University Press, Cambridge (1997)
Kephart, J.O., Arnold, W.C.: Automatic extraction of computer virus signatures. In: Processing of the 4th International Virus Bulletin Conference (September 1994)
Kim, K.-A., Karp, B.: Autograph: Toward Automated Distributed Worm Distribution. In: Proceedings of the USENIX Security Symposium (August 2004)
Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, Tech Report, GIT-CC-05-09 (2005)
Kreibich, C., Crowcroft, J.: Honeycomb-Creating Intrusion Detection Signatures Using Honeypots. In: Proceedings of the 2nd Workshop on Hot Topics in Networks (HotNets-II) (November 2003)
Li, W., Wang, K., Stolfo, S., Herzog, B.: Fileprints: Identifying File Types by N-gram Analysis. In: The Proceedings of the 2005 IEEE Workshop on Information Assurance and Security (June 2005)
Lippmann, R., et al.: The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks 34(4), 579–595 (2000)
Locasto, M., Parekh, J., Stolfo, S., Keromytis, A., Malkin, T., Misra, V.: Collaborative Distributed Intrusion Detection, Columbia University Tech Report CUCS-012-04 (2004)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm, http://www.cs.berkeley.edu/~nweaver/sapphire/
Moore, D., Shannon, C.: Code-Red: A Case Study on the Spread and Victims of an Internet Worm. In: Proceeding of the 2002 ACM SIGCOMM Internet Measurement Workshop (IMW 2002) (November 2002)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: IEEE Proceedings of the INFOCOM (April 2003)
Sidiroglou, S., Keromytis, A.D.: Countering Network Worms through Automatic Patch Generation. To appear in IEEE Security and Privacy 2005 (2005)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Sixth Symposium on Operating Systems Design and Implementation, OSDI (2004)
Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of the USENIX Security Symposium (August 2002)
Stolfo, S.: Collaborative Security, The Black Book on Corporate Security, ch 9. Larstan Publishing (2005)
Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (February 2004)
Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: Vulnerability-Driven Network Filter for Preventing Known Vulnerability Exploits. In: Proceedings of the ACM SIGCOMM Conference (August 2004)
Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wang, K., Cretu, G., Stolfo, S.J. (2006). Anomalous Payload-Based Worm Detection and Signature Generation. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_12
Download citation
DOI: https://doi.org/10.1007/11663812_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)