Skip to main content
SpringerLink
Log in

Anomalous Payload-Based Worm Detection and Signature Generation

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

Abstract

New features of the PAYL anomalous payload detection sensor are demonstrated to accurately detect and generate signatures for zero-day worms. Experimental evidence demonstrates that site-specific packet content models are capable of detecting new worms with high accuracy in a collaborative security system. A new approach is proposed that correlates ingress/egress payload alerts to identify the worm’s initial propagation. The method also enables automatic signature generation that can be deployed immediately to network firewalls and content filters to proactively protect other hosts. We also propose a collaborative privacy-preserving security strategy whereby different hosts can exchange PAYL signatures to increase accuracy and mitigate against false positives. The important principle demonstrated is that correlating multiple alerts identifies true positives from the set of anomaly alerts and reduces incorrect decisions producing accurate mitigation.

This work has been partially supported by a grant with the Army Research Office/DHS, No. DA W911NF-04-1-0442 and an SBIR subcontract with the HS ARPA division of the Department of Homeland Security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bhatkar, S., DuVarney, D.C., Sekar, R.: Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits. In: 12th USENIX Security Symposium (2003)

    Google Scholar 

  2. Damashek, M.: Gauging similarity with n-grams: language independent categorization of text. Science 267(5199), 843–848 (1995)

    Article  Google Scholar 

  3. Gusfield, D.: Algorithms on Strings, Trees and Sequences. Cambridge University Press, Cambridge (1997)

    Book  MATH  Google Scholar 

  4. Kephart, J.O., Arnold, W.C.: Automatic extraction of computer virus signatures. In: Processing of the 4th International Virus Bulletin Conference (September 1994)

    Google Scholar 

  5. Kim, K.-A., Karp, B.: Autograph: Toward Automated Distributed Worm Distribution. In: Proceedings of the USENIX Security Symposium (August 2004)

    Google Scholar 

  6. Kolesnikov, O., Lee, W.: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, Tech Report, GIT-CC-05-09 (2005)

    Google Scholar 

  7. Kreibich, C., Crowcroft, J.: Honeycomb-Creating Intrusion Detection Signatures Using Honeypots. In: Proceedings of the 2nd Workshop on Hot Topics in Networks (HotNets-II) (November 2003)

    Google Scholar 

  8. Li, W., Wang, K., Stolfo, S., Herzog, B.: Fileprints: Identifying File Types by N-gram Analysis. In: The Proceedings of the 2005 IEEE Workshop on Information Assurance and Security (June 2005)

    Google Scholar 

  9. Lippmann, R., et al.: The 1999 DARPA Off-Line Intrusion Detection Evaluation. Computer Networks 34(4), 579–595 (2000)

    Article  Google Scholar 

  10. Locasto, M., Parekh, J., Stolfo, S., Keromytis, A., Malkin, T., Misra, V.: Collaborative Distributed Intrusion Detection, Columbia University Tech Report CUCS-012-04 (2004)

    Google Scholar 

  11. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm, http://www.cs.berkeley.edu/~nweaver/sapphire/

  12. Moore, D., Shannon, C.: Code-Red: A Case Study on the Spread and Victims of an Internet Worm. In: Proceeding of the 2002 ACM SIGCOMM Internet Measurement Workshop (IMW 2002) (November 2002)

    Google Scholar 

  13. Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: IEEE Proceedings of the INFOCOM (April 2003)

    Google Scholar 

  14. Sidiroglou, S., Keromytis, A.D.: Countering Network Worms through Automatic Patch Generation. To appear in IEEE Security and Privacy 2005 (2005)

    Google Scholar 

  15. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated Worm Fingerprinting. In: Sixth Symposium on Operating Systems Design and Implementation, OSDI (2004)

    Google Scholar 

  16. Staniford, S., Paxson, V., Weaver, N.: How to Own the Internet in Your Spare Time. In: Proceedings of the USENIX Security Symposium (August 2002)

    Google Scholar 

  17. Stolfo, S.: Collaborative Security, The Black Book on Corporate Security, ch 9. Larstan Publishing (2005)

    Google Scholar 

  18. Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of Network and Distributed System Security Symposium (NDSS) (February 2004)

    Google Scholar 

  19. Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: Vulnerability-Driven Network Filter for Preventing Known Vulnerability Exploits. In: Proceedings of the ACM SIGCOMM Conference (August 2004)

    Google Scholar 

  20. Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Columbia University, 500 West 120th Street, New York, NY, 10027, USA

    Ke Wang, Gabriela Cretu & Salvatore J. Stolfo

Authors
  1. Ke Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gabriela Cretu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Salvatore J. Stolfo
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA

    Alfonso Valdes

  2. IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wang, K., Cretu, G., Stolfo, S.J. (2006). Anomalous Payload-Based Worm Detection and Signature Generation. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_12

Download citation

  • DOI: https://doi.org/10.1007/11663812_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-31778-4

  • Online ISBN: 978-3-540-31779-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation