A Space-Economical Suffix Tree Construction Algorithm
Journal of the ACM (JACM)
Color Set Size Problem with Application to String Matching
CPM '92 Proceedings of the Third Annual Symposium on Combinatorial Pattern Matching
Automatically inferring patterns of resource consumption in network traffic
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Approximate frequency counts over data streams
VLDB '02 Proceedings of the 28th international conference on Very Large Data Bases
IEEE Journal on Selected Areas in Communications
Memory-efficient content filtering hardware for high-speed intrusion detection systems
Proceedings of the 2007 ACM symposium on Applied computing
Building a dark piconet upon bluetooth interfaces of computers
MILCOM'09 Proceedings of the 28th IEEE conference on Military communications
| Hi-index | 0.00 |
The polymorphic variety of Internet worms presents a formidable challenge to network intrusion detection and methods designed to extract payload signatures for worm containment. Recently, several systems, including Earlybird and Polygraph, have been proposed, based on efficient processing of payloads to extract signatures that are either explicitly indicative of an attack (exploit code strings) or which have unusual statistical character (content prevalence, address dispersion) consistent with worm activity. While these works are seminal, these systems have limitations that affect accuracy of the extracted signatures and/or practicability of the system's deployment. Earlybird's signature extraction is fragile to polymorphism, while Polygraph makes assumptions about data availability and the accuracy of front-end flow classification. This method also possesses high complexity.We propose a new method which, fundamentally, integrates header-based multidimensional flow clustering as front-end processing, with content sifting (signature extraction) performed, separately, solely on each cluster in the (small) subset of identified suspicious clusters. Front-end clustering improves purity of the (separate) signature pools and also reduces complexity. We apply a "suffix tree" approach to signature extraction, gleaning both length and frequency information. We demonstrate efficacy of our approach on a (background) trace taken from a /24 in Taiwan, which we salt with worm traffic based on two realistic polymorphic mechanisms that we propose. Since there is a dearth of public data for such testing, we have also made an anonymized version of this trace available, based on randomized headers and fingerprinted payloads.