Jia Zhang,Haixin Duan,Lanjia Wang,Yuntao Guan

DOI: https://doi.org/10.1109/iccee.2008.33

2008-01-01

Abstract:With the development of polymorphic worms, worms do greater harm to networks. The content-based signature generation of polymorphic worms has been a challenge for network security. This paper presents a fast signature generation method for polymorphic worms. The main feature of this method is clustering network normal traffic to create a white list before carrying out a comprehensive analysis of malicious traffic. Compared with other methods, this approach avoids the large number of comparisons with normal network traffic pool because of the white list. It is proved by experiments that our approach has a good noise-tolerant capability and high efficiency, and signatures generated by our method have a high accuracy.

Deguang Kong,Yoon-Chan Jhi,Tao Gong,Sencun Zhu,Peng Liu,Hongsheng Xi

DOI: https://doi.org/10.1007/s10207-011-0132-7

2010-01-01

Abstract:String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains a challenging problem. For example, attackers can freely manipulate byte distributions within the attack payloads and thus inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel S emantics A ware S tatistical algorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a hidden Markov model (HMM) to the refined data to generate state-transition-graph-based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks compared to Polygraph and Hamsa.

Zhichun Li,Manan Sanghi,Yan Chen,Ming-Yang Kao,Brian Chavez

DOI: https://doi.org/10.1109/SP.2006.18

2006-01-01

Abstract:Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate signatures in the early stages of infection. Most existing approaches for automatic signature generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph [16] in terms of efficiency, accuracy, and attack resilience.

Zhichun Li,Lanjia Wang,Yan Chen,Zhi Judy Fu

DOI: https://doi.org/10.1109/icnp.2007.4375847

2007-01-01

Abstract:It is crucial to detect zero-day polymorphic worms and to generate signatures at the edge network gateways or honeynets so that we can prevent the worms from propagating at their early phase. However, most existing network-based signatures generated are not vulnerability-based and can be easily evaded by attacks. In this paper, we propose generating vulnerability-based signatures on the network level without any host-level analysis of worm execution or vulnerable programs. As the first step, we design a network-based length-based signature generator (LESG) for worms based on buffer overflow vulnerabilities'. The signatures generated are intrinsic to buffer overflows, and are very hard for attackers to evade. We further prove the attack resilience bounds even under worst case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching. Evaluation based on real-world vulnerabilities of various protocols and real network traffic demonstrates that LESG is promising in achieving these goals.

Hao Tu,Zhitang Li,Bin Liu,Yejiang Zhang

DOI: https://doi.org/10.1080/15501320802508543

2009-01-01

Abstract:The fast spread of a worm is a great challenge to Internet security. Most current defense systems use a signature matching approach while most signatures are developed manually. It is difficult to catch a variety of new worms promptly. An efficient worm defense system is designed and implemented to provide early warning at the moment the worms start to spread in the network and to contain or slow down the spread of the worm by automatically extracting a signature that could be used by firewalls or Intrusion Prevention Systems. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. In this paper, we proposed an efficient worm defense system based signature extraction. The input of the system is all traffic crossing an edge network and its output is a database of worm signatures which can be used by content-based defense. There are three main stages to extract signatures from network traffic. First, a clustering stage uses multidimensional traffic mining based IP header to identify significant traffic volume. We propose a binary clustering algorithm and this leaves a preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. After clustering, nonsignificant traffic volume is stored in an innocuous packet pool and significant traffic volume is further classified using address dispersion as suspicious or innocuous. After this stage, only a small portion of the packets captured from the edge network are analyzed in third stage, signature extraction. A position-aware signature generation method based bloom filter is proposed to extract more accurate signatures with less CPU time and memory consumption. To minimize false positives, the signatures will be verified based on the innocuous packet pool. Both trace data and tcpdump data are used to test the prototype system. Experiment results show that the system can efficiently filter through suspicious traffic with high purity and extract more accurate signature, which can well support popular content-based defense system such as Snort.

涂浩,李之棠,柳斌

2009-01-01

Abstract:The fast spread of worm is a great challenge to Internet security.An effective worm detection and defense system is designed and implemented.A binary cluster algorithm is proposed to improve the front traffic filter,which reduce the traffic and enhance its purity.A method of position-aware signature generation based Bloom Filter is proposed to bring better performance and more accurate signature.Experiments show the system can effective detect worm traffic and generate accurate signature for content-based automatic defense.

Pan Xiaohui,Zhang Xiaosong,Chen Ting

DOI: https://doi.org/10.1109/ebiss.2009.5137885

2009-01-01

Abstract:Since worms have become a major threat of cybersecurity, several detection approaches have been proposed to detect them. However, attackers have exploited state-of-the-art techniques to evade these detection systems, such as polymorphism and metamorphism, making existing systems ineffective. In this paper, we propose a hybrid method for the detection of polymorphic worms. It uses improved Reverse Sequential Hypothesis Testing (RSHT) to detect portscans which are routinely used to find vulnerable hosts to compromise. Then a CPU emulator is used to execute every possible instruction sequence in suspicious traffic and determine whether it is an exploit code. We implemented a prototype and tested it using real polymorphic worms. Initial experimental results show that our approach is effective with high accuracy.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.178

2006-01-01

Abstract:Considering the shortcomings of the current worm Defense system, an agent-oriented worm Defense system, AOSWD, is proposed in this paper. In the hierarchical framework of AOSWD, the agents are independent but can roam in the network freely and collaborate with each other to defend against Internet worms. In this paper, we discuss the system architecture and the realization details, propose the key technique for the system and analyze the system performance.

唐勇,诸葛建伟,陈曙晖,卢锡城

DOI: https://doi.org/10.3969/j.issn.1000-436x.2013.03.018

2013-01-01

Abstract:A practical worm regular expression of automatic extraction method was presented, which involves four steps:sample collection from worm propagation, signature tree generation, removal of high false-positive signatures, and sig-nature merging. The advantage of this method is that it can directly output expression signature with the rich syntax of“.*”,“.{k}”,“|”,“(c){k}”. Based on the honeypot system Honeybow deployed in Internet, the method was implemented and evaluated by several in-wild worms under real Internet environment. The experiment results show that the method can generate accurate regular expression signatures for real worms and is promising for the applications of automatic analysis of worms and malwares.

WANG Ping,FANG Bin-xing,YUN Xiao-chun

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.06.013

2006-01-01

Abstract:Worms had done serious harm to the computer networks due to their propagating speeds.The research was necessary to detect worms quickly and automatically.In large scale networks,flux based anomaly found module was used to screen out anomalous network data set,and automatic signature extraction was processed in succession,then its signa-ture was updated to the signature database of the signature based detection module,thus,the approach to detect unknown worms was realized.Novel epidemic can be found effectively,and the whole system is the fundament of worm automatic defense.

WEN Shi-qiang,DUAN Hai-xin,WU Jian-ping

DOI: https://doi.org/10.3969/j.issn.1000-1220.2006.01.005

2006-01-01

Abstract:For the globalization of network attack, intrusion detection systems (IDS) should protect not only a local sub-net, but the whole network environment. Therefore, an urgent requirement of open resources for intrusion detection is coming to being. An open signature database for IDS has been implemented in the effort of this paper, which includes more than 1200 effective signatures. In this paper, the Intrusion Signature Exchange Protocol (ISEP) is presented, which has been used by IDSes to update signatures from the database in real time. Digital certificate and role-based access control technique involved in the system is described. Finally, in the case study of Nachi worm, the method of signature extraction is illustrated.

LI Zhi-dong,YUN Xiao-Chun,YANG Wu,XIN Yi

2005-01-01

Journal of Computer Applications

Abstract:Serving as the bridge that links detection and containment, automatic signature extraction has played an important role in anti-worm. Traditional Internet worm signature extraction algorithms were introduced. Based on the analysis of their mechanisms and major defections, an extraction algorithm based on common feature set was presented. It supported low complexity extraction and optimization, as well as the tradeoff between sensitivity and specialization, and had remarkable superiority in dealing with background noise and cross infection.

XIN Yi,FANG Bin-xing,HE Long-tao,YUN Xiao-chun,LI Zhi-dong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.001

2007-01-01

Abstract:Worm detection and signature extraction was presented based on analysis of similar communication character-istics,which identifies the distinct communication pattern of worm spread,and evaluates the similarity metric of commu-nication characteristic sets,and detects worms by detecting their infectivity with higher detection precision,generality and adaptability.Based on this,a heuristic detection framework is designed,which eliminates non-worm traffic from protocol,sequence,and content in three levels via blind,intent and lock track,then filters out worm packets and extracts signatures.The technique reduces data collection volume and analysis cost dramatically,and can detection worm and ex-tract signature quickly in the environment with high strength background noise.

Zhichun Li,Gao Xia,Hongyu Gao,Yi Tang,Yan Chen,Bin Liu,Junchen Jiang,Yuezhou Lv

DOI: https://doi.org/10.1145/1851275.1851216

IF: 1.937

2010-01-01

ACM SIGCOMM Computer Communication Review

Abstract:Accuracy and speed are the two most important metrics for Network Intrusion Detection/Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regex-based NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures [10, 29] (a.k.a. data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, how to efficiently apply vulnerability signatures to high speed NIDS/NIPS with a large ruleset remains an untouched but challenging issue.This paper presents the first systematic design of vulnerability signature based parsing and matching engine, NetShield, which achieves multi-gigabit throughput while offering much better accuracy. Particularly, we made the following contributions: (i) we proposed a candidate selection algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we proposed an automatic lightweight parsing state machine achieving fast protocol parsing. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core machine for 794 HTTP vulnerability signatures. We release our prototype and sample signatures at www.nshield.org.

Zhichun Li,Gao Xia,Hongyu Gao,Yi Tang,Yan Chen,B. Liu

2010-01-01

Abstract:Accuracy and speed are the two most important metrics for Network Intrusion Detection or Prevention Systems (NIDS/NIPSes). Due to emerging polymorphic attacks and the fact that in many cases regular expressions (regexes) cannot capture the vulnerability conditions accurately, the accuracy of existing regexbased NIDS/NIPS systems has become a serious problem. In contrast, the recently-proposed vulnerability signatures [8, 29] (a.k.a. data patches) can exactly describe the vulnerability conditions and achieve better accuracy. However, when applying vulnerability signatures to high speed NIDS/NIPS with a large ruleset, how to efficiently match them is an untouched but challenging issue. This paper presents the design of NetShield, a vulnerability signature based NIDS/NIPS which achieves multigigabit throughput while offering much better accuracy. This is accomplished because of the following contributions: (i) we propose a candidate selection (CS) algorithm which efficiently matches thousands of vulnerability signatures simultaneously requiring a small amount of memory; (ii) we propose a automatic lightweight parsing transition state machine achieving fast protocol parsing; (iii) we implement the NetShield prototype. Experimental results show that the core engine of NetShield achieves at least 1.9+Gbps signature matching throughput on a 3.8GHz single-core PC, and can scale-up to at least 11+Gbps under a 8-core CPU for 794 HTTP vulnerability signatures.

P Wang,BX Fang,XC Yun

DOI: https://doi.org/10.1109/pdcat.2005.25

2005-01-01

Abstract:Worms have seriously harmed computer and network systems due to their rapid spread rate. Therefore, it is necessary to research automatic worm detection systems in large networks. In this paper, data stream based anomaly detection is used to screen out anomalous network data flow, subsequently, the signature is extracted. After analyzed, the signature is updated to the misuse detection pattern. Based on an automatic worm defense, a system could discover an epidemic situation effectively and detect an unknown worm.

Hui He,Ming-Zeng Hu,Wei-Zhe Zhang,Hong-Li Zhang

2005-01-01

Abstract:Internet worms are becoming a major threat to the security of today's large-scale networks. The fast spreading nature of worms calls for a worm monitoring and early detection system. In this paper, an effective algorithm for early detection of the active worms and the corresponding detection system are proposed. The detection engine is the key components to the system, and the early detection algorithm based on multi-similarity is discussed in detail, which is the core of the engine, that integrates the worms' behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution change of some attributes. Our simulation experiments show that the system can detect the presence worms intrusion when attacks don't arouse the sharp changes of the network traffic. It can detect the worm attack ahead of its overspreading on the large-scale network.

BaiLing Wang,BinXing Fang,XiaoChun Yun

DOI: https://doi.org/10.1007/11590354_9

2005-01-01

Abstract:A new detection approach based on worm behaviors for IDS anti-worm is presented. By the method, the susceptible hosts probed by worms can be detected, and then an immediate counter-attack to the susceptible host can be proposed. As a case study, a simulation on the IDS-based anti-worm counter-attacking the malicious worm is given, which shows the new containment is much more effective and bring less traffic to network than the traditional one. It can be used as a reference for Grid security infrastructure.