Haibin Shen

2008-01-01

Abstract:In order to prevent the huge damage caused by computer worms,an innovative approach using support vector machine(SVM) classifier for detecting unknown computer worm based on the measurement of computer performance was proposed to alarm Internet users.In the experiment,system features were monitored from window performance counters with different applications running on and bayesian network theorem was applied on selecting features from which the judging rule is deduced by SVM.As proved by the result from testing experiment,the system can detect the presence of an unknown worm by reaching high accuracy,so that it can be well known that the model using SVM active learning the less prior knowledge has a good performance on detecting unknown computer worms.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Zhichun Li,Manan Sanghi,Yan Chen,Ming-Yang Kao,Brian Chavez

DOI: https://doi.org/10.1109/SP.2006.18

2006-01-01

Abstract:Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate signatures in the early stages of infection. Most existing approaches for automatic signature generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph [16] in terms of efficiency, accuracy, and attack resilience.

Jia Zhang,Haixin Duan,Lanjia Wang,Yuntao Guan

DOI: https://doi.org/10.1109/iccee.2008.33

2008-01-01

Abstract:With the development of polymorphic worms, worms do greater harm to networks. The content-based signature generation of polymorphic worms has been a challenge for network security. This paper presents a fast signature generation method for polymorphic worms. The main feature of this method is clustering network normal traffic to create a white list before carrying out a comprehensive analysis of malicious traffic. Compared with other methods, this approach avoids the large number of comparisons with normal network traffic pool because of the white list. It is proved by experiments that our approach has a good noise-tolerant capability and high efficiency, and signatures generated by our method have a high accuracy.

Ashraf A. Shahin

DOI: https://doi.org/10.48550/arXiv.1409.1654

2014-09-13

Abstract:In the past few years, computer worms are seen as one of significant challenges of cloud computing. Worms are rapidly changing and getting more sophisticated to evade detection. One major issue to defend against computer worms is collecting worms' payloads to generate their signature and study their behavior. To collect worms' payloads, we identified challenges for detecting and collecting worms' payloads and proposed high-interactive honeypot to collect payloads of zero-day polymorphic worms in homogeneous and heterogeneous cloud computing platforms. Virtual machine (VM) memory and VM disk image are inspected from outside using open-source forensics tools and VMWare Virtual Disk Development Kit. Our experiments show that the proposed approach overcomes the identified challenges.

Distributed, Parallel, and Cluster Computing,Cryptography and Security

LanJia Wang,HaiXin Duan,Xing Li

DOI: https://doi.org/10.1007/s11432-008-0150-x

2008-01-01

Science in China Series F Information Sciences

Abstract:It is a promising way to detect polymorphic shellcode using emulation method. However, previous emulation-based approaches are limited in their performance and resilience against evasions. A new enhanced emulation-based detection approach is proposed, including an automaton-based model of the dynamic behavior of polymorphic shellcode and a detection algorithm, the detection criterion of which is derived from that model and ensures high detection accuracy. The algorithm also contains several optimization techniques, highly improving the running performance and the resilience against detection evasion shellcode. We have implemented a prototype system for our approach. The advantages of our algorithm are validated by the experiments with real network data, polymorphic shellcode samples generated by available polymorphic engines and hand-crafted detection evasion shellcode.

Chen Ting,Zhang Xiaosong,Liu Zhi

DOI: https://doi.org/10.1109/EBISS.2009.5137874

2009-01-01

Abstract:Zero-day shellcodes has become a major threat to the Internet with complex obfuscation techniques. However, even the state-of-the-art NIDS has small chances of detecting them because they rely on known signatures. This paper presents Hybrid Detection for zero-day Polymorphic Shellcodes (HDPS) against shellcodes using various obfuscations. Our approach employs a heuristic approach to detect return address and filter mass innocent network flows, and then constructs a Markov Model to detect the existence and location of executable codes in suspicious flows. Finally, it applies an elaborate approach to detect NOP Sleds in the executable codes. Initial experiments show HDPS detects nearly all types of shellcodes, and the false positive rate approximates zero with low overhead.

BaiLing Wang,BinXing Fang,XiaoChun Yun

DOI: https://doi.org/10.1007/11590354_9

2005-01-01

Abstract:A new detection approach based on worm behaviors for IDS anti-worm is presented. By the method, the susceptible hosts probed by worms can be detected, and then an immediate counter-attack to the susceptible host can be proposed. As a case study, a simulation on the IDS-based anti-worm counter-attacking the malicious worm is given, which shows the new containment is much more effective and bring less traffic to network than the traditional one. It can be used as a reference for Grid security infrastructure.

Hui He,Ming-Zeng Hu,Wei-Zhe Zhang,Hong-Li Zhang

2005-01-01

Abstract:Internet worms are becoming a major threat to the security of today's large-scale networks. The fast spreading nature of worms calls for a worm monitoring and early detection system. In this paper, an effective algorithm for early detection of the active worms and the corresponding detection system are proposed. The detection engine is the key components to the system, and the early detection algorithm based on multi-similarity is discussed in detail, which is the core of the engine, that integrates the worms' behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution change of some attributes. Our simulation experiments show that the system can detect the presence worms intrusion when attacks don't arouse the sharp changes of the network traffic. It can detect the worm attack ahead of its overspreading on the large-scale network.

Chen Yue,Xue Zhi,Wang Yijun

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.01.065

2007-01-01

Abstract: At present, buffer overflow still stands as one of the most prevalent and efficient way to attack network system. It usually results from manually attack by hackers and self-propagation attack by worms or viruses. With the development of NIDS, it is feasible to detect buffer overflow attack by simple Shellcode pattern-matching. However, the appearance of Shellcode polymorphism enables Shellcode to evade the detection of NIDS. This paper demonstrates a variety of detailed shellcode polymorphic technology against traditional IDS discerning method and presents new tech- nology and orientation to detect the polymorphic shellcode.

Deguang Kong,Yoon-Chan Jhi,Tao Gong,Sencun Zhu,Peng Liu,Hongsheng Xi

DOI: https://doi.org/10.1007/s10207-011-0132-7

2010-01-01

Abstract:String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains a challenging problem. For example, attackers can freely manipulate byte distributions within the attack payloads and thus inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel S emantics A ware S tatistical algorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a hidden Markov model (HMM) to the refined data to generate state-transition-graph-based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks compared to Polygraph and Hamsa.

Xiaojun Tong,Zhu Wang

DOI: https://doi.org/10.1007/978-3-642-25002-6_23

2011-01-01

Abstract:The existing worm detection system requires high detection environment and has high false alarm rate. So the paper proposed a novel anomaly detection algorithm and the prewarning technology of unknown network worms. We detect unknown worms by means of multidimensional worm abnormal detection method to discover unknown worms, extracts unknown worm features set by analyzing worm data in a leap-style way and creates new rules which will be used to detect the corresponding worm in case that the unknown worm attacks again. Experiments have proved that this method can discover new worms successfully, extracts corresponding features and creates new rules for later detection. Experiment data has shown that this method has a high success detection rate and low false alarm rate.

Xiaojun Tong,Zhu Wang,Miao Zhang,Yang Liu,Hui Xu

DOI: https://doi.org/10.1109/DCABES.2014.55

2014-01-01

Abstract:This paper proposes a novel anomaly detection method of network worms. The algorithm detects unknown worms by multidimensional worm abnormal detection technology, extracts its feature string via analyzing worm data with leap-style and creates new rules to detect the corresponding worm in case that the unknown worm attacks again. The paper has realized the automatic detection of unknown worms. Experiment data has showed that the method has high success detection rate and low false alarm rate.

Zhang Xiaosong,Chen Ting,Chen Dapeng,Liu Zhi

DOI: https://doi.org/10.1108/03321641011014913

2013-01-01

Abstract:Purpose - The purpose of this paper is to propose a self-immune automated signature generation (SISG) for polymorphic worms which is able to work well, even while being attacked by any types of malicious adversary and produces global-suited signatures other than local-suited signatures for its distributed architecture. Through experimentations, the method is thereafter evaluated. Design/methodology/approach - The ideal worm signature exist in each copy of the corresponding worm, but never in other worm categories and normal network traffic. SISG compares each worm copy and extract the same components, then produces the worm signature from the components which must achieve low-false positive and low-false negative. SISG is immune from the most attacks by filtering the harmful noise made by malicious adversaries before signature generation. Findings - NOP sled, worm body and descriptor are not good to be signature because they can be confused intricately by polymorphic engines. Protocol frames may not suit to be signature for the anti-automated signature generation attacks. Exploit bytes is the essential part of an ideal worm signature and it can be extracted by SISG exactly. Originality/value - The paper proposes a SISG for polymorphic worms which is able to work well even while being attacked by any types of malicious adversary and produces global-suited signatures other than local-suited signatures for its distributed architecture.

王兰佳,段海新,李星

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.13.003

2008-01-01

Abstract:Based on the analysis of the characteristics of polymorphic Shellcode’s behavior, an dynamic emulation based detection criterion is proposed. Using the criterion, this paper designs and implements a dynamic emulation based polymorphic Shellcode detection system, which is highly optimized in each module. With 3.3 GB real network data and 11 000 polymorphic Shellcode samples, the experiment on prototype presents zero false positive and false negative, and it improves the throughput of system.

Bing Wu,Xiaochun Yun,Xiang Cui

2006-01-01

Abstract:In this paper, the concept of Worm Poisoning and PoisonWorm are presented and the feasibility of Worm Poisoning is testified. A propagation model named SIRP Model and PoisonWorm’s side-effect on network traffic are given and compared with the classical epidemic Kermack-Mckendrick model. The feasibility and necessity of PoisonWorm and its application are highlighted in active defense system against Internet worms. In addition, the technology of P2P-based unknown worm detection and signature verification are briefly introduced.

Chen Bo,Yu Xiangzhan,Fang Binxing,Yun Xiaochun

DOI: https://doi.org/10.1007/s11460-007-0087-7

2007-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:There appear many Internet-scale worm incidents in recent years, which have caused severe damage to the society. It is clear that a simple self-propagation worm can quickly spread across the Internet. Therefore, it is necessary to implement automatic mitigation which can detect worm and drop its packet. In this paper, the worm’s framework was first analyzed and its two characteristics were detected. Based on the two characteristics, a defending algorithm was presented to protect network. Experimental results verify that our algorithm is very effective to constrain the worm propagation and meanwhile it almost does not interfere in normal activity.

Hao Tu,Zhitang Li,Bin Liu,Yejiang Zhang

DOI: https://doi.org/10.1080/15501320802508543

2009-01-01

Abstract:The fast spread of a worm is a great challenge to Internet security. Most current defense systems use a signature matching approach while most signatures are developed manually. It is difficult to catch a variety of new worms promptly. An efficient worm defense system is designed and implemented to provide early warning at the moment the worms start to spread in the network and to contain or slow down the spread of the worm by automatically extracting a signature that could be used by firewalls or Intrusion Prevention Systems. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. In this paper, we proposed an efficient worm defense system based signature extraction. The input of the system is all traffic crossing an edge network and its output is a database of worm signatures which can be used by content-based defense. There are three main stages to extract signatures from network traffic. First, a clustering stage uses multidimensional traffic mining based IP header to identify significant traffic volume. We propose a binary clustering algorithm and this leaves a preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. After clustering, nonsignificant traffic volume is stored in an innocuous packet pool and significant traffic volume is further classified using address dispersion as suspicious or innocuous. After this stage, only a small portion of the packets captured from the edge network are analyzed in third stage, signature extraction. A position-aware signature generation method based bloom filter is proposed to extract more accurate signatures with less CPU time and memory consumption. To minimize false positives, the signatures will be verified based on the innocuous packet pool. Both trace data and tcpdump data are used to test the prototype system. Experiment results show that the system can efficiently filter through suspicious traffic with high purity and extract more accurate signature, which can well support popular content-based defense system such as Snort.