Polymorphic worm detection using token-pair signatures

Authors:
Burak Bayoglu;Ibrahim Sogukpinar
Affiliations:
National Research Institute of Electronics and Cryptology, Kocaeli, Turkey;Gebze Institute of Technology, Kocaeli, Turkey
Venue:
Proceedings of the 4th international workshop on Security, privacy and trust in pervasive and ubiquitous computing
Year:
2008

Citing 12
Cited 1

Color Set Size Problem with Application to String Matching

CPM '92 Proceedings of the Third Annual Symposium on Combinatorial Pattern Matching
Engineering a Lightweight Suffix Array Construction Algorithm

Algorithmica
Semantics-Aware Malware Detection

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Fast and automated generation of attack signatures: a basis for building self-protecting servers

Proceedings of the 12th ACM conference on Computer and communications security
MisleadingWorm Signature Generators Using Deliberate Noise Injection

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An architecture for generating semantics-aware signatures

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
An Automated Signature-Based Approach against Polymorphic Internet Worms

IEEE Transactions on Parallel and Distributed Systems
Polymorphic worm detection using structural information of executables

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Graph based signature classes for detecting polymorphic worms via content analysis

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

A worm is a self-replicating computer program which does not need neither to attach itself to an existing program nor require user intervention unlike viruses. Worms exploit operating system and application software vulnerabilities to infect the systems. Polymorphic code itself is the art of developing code that mutates at each copy while keeping the original algorithm unchanged. By the way, a polymorphic worm changes its pattern each time it sends a copy to another system. Thereby this avoids detection by simple signature matching techniques. On the other hand, there is still some part of code that remains unchanged. In this work, we propose Token-Pair Conjunction and Token-Pair Subsequence signatures for detecting polymorphic worm threats. Experiments of the proposed model were performed using two real polymorphic worms. Experiment results show that the proposed signature schema have low false negatives and false positives.