Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Algorithms to accelerate multiple regular expressions matching for deep packet inspection
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
On the infeasibility of modeling polymorphic shellcode
Proceedings of the 14th ACM conference on Computer and communications security
Generating simplified regular expression signatures for polymorphic worms
ATC'07 Proceedings of the 4th international conference on Autonomic and Trusted Computing
Hi-index | 0.00 |
Network worms are a clear and growing threat to the security of today's Internet-connected hosts and networks. One of the most common and effective ways to detect worm attacks is to implement a signature-based IDS. An IDS samples suspicious flow in the network with the goal of detecting previously encountered worms. The two significant drawbacks in these approaches are manual signature generation and lack of accurate signatures to detect polymorphic worms. This approach proposes a new Network Signature Generator (NSG), Extended PolyTree that automatically and quickly generates accurate signatures for worms, especially polymorphic worms. It is observed that signatures from worms and their variants are relevant and a tree structure can properly reflect their familial resemblance. Therefore, the signatures extracted from worm samples are organized into a tree structure called Signature Tree. This approach comprises of five phases namely, traffic data collection, SRE signature generation, signature tree generation, signature selection for IDS and worm detection & removal. Based on the suspicious traffic collected, SRE signatures are generated. These signatures are aligned in such a way that they represent their familial resemblance in the form of signature tree. From the generated most specific signatures, few signatures are selected and given to IDS for worm detection. The simulation analysis of this work shows the increase in time consumption to construct the tree and worm detection time. The accuracy in signature generation in this work is better than any existing system.