Learning Program Behavior Profiles for Intrusion Detection
Proceedings of the Workshop on Intrusion Detection and Network Monitoring
Honeycomb: creating intrusion detection signatures using honeypots
ACM SIGCOMM Computer Communication Review
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Secure program execution via dynamic information flow tracking
ASPLOS XI Proceedings of the 11th international conference on Architectural support for programming languages and operating systems
A behavioral approach to worm detection
Proceedings of the 2004 ACM workshop on Rapid malcode
Testing network-based intrusion detection signatures using mutant exploits
Proceedings of the 11th ACM conference on Computer and communications security
A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors)
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Minos: Control Data Attack Prevention Orthogonal to Memory Model
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Towards Automatic Generation of Vulnerability-Based Signatures
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Collapsar: a VM-based architecture for network attack detention center
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Virtual playgrounds for worm behavior investigation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
BotHunter: detecting malware infection through IDS-driven dialog correlation
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
SQLProb: a proxy-based architecture towards preventing SQL injection attacks
Proceedings of the 2009 ACM symposium on Applied Computing
| Hi-index | 0.00 |
This paper proposes behavioral footprinting, a new dimension of worm profiling based on worm infection sessions. A worm's infection session contains a number of steps (e.g., for probing, exploitation, and replication) that are exhibited in certain order in every successful worm infection. Behavioral footprinting complements content-based signature by enriching a worm's profile, which will be used in worm identification, an important task in post worm attack investigation and recovery. We propose an algorithm to extract a worm's behavioral footprint from the worm's traffic traces. Our evaluation with a number of real worms and their variants confirms the existence of worms' behavioral footprints and demonstrates their effectiveness in worm identification.