Survey on Automatic Polymorphic Worms Detection - PowerPoint PPT Presentation

1 / 34
About This Presentation
Title:

Survey on Automatic Polymorphic Worms Detection

Description:

Autograph. Based on single string matching ... Autograph contd. ... Autograph prototype can't detect polymorphic worm ... – PowerPoint PPT presentation

Number of Views:132
Avg rating:3.0/5.0
Slides: 35
Provided by: Nil67
Category:

less

Transcript and Presenter's Notes

Title: Survey on Automatic Polymorphic Worms Detection


1
Survey on Automatic Polymorphic Worms Detection
  • Nilam Chand
  • Puspa Mahat

2
Introduction
  • Worms
  • One of the major threats for the security of the
    current networks.
  • Designed to exploit certain vulnerabilities found
    in many hosts on the internet
  • Polymorphic Worms
  • Can change their appearance in each instance

3
Detection of Worms
  • Use of Intrusion detection system (IDS) such as
    Bro and Snort that use signature database

4
Problem and Solution
  • Signature generation is human labor intensive
  • Frequent database update required
  • Slow response for detection of novel worms
  • New threats like Polymorphic worm
  • Solution
  • Automatic generation of Signatures

5
Characteristic of worms
  • Replicate within a few minutes or even seconds
  • Voluminous
  • Contain some invariant byte strings needed to
    exploit vulnerability

6
Automatic signature generation approaches
  • Content based detection
  • Autograph
  • Polygraph
  • Hamsa
  • Structure based detection

7
Content Based Detection
8
Autograph
  • Based on single string matching
  • Consists of two phases -suspicious flow selection
    and signature generation
  • Suspicious flow generation using port scanning
  • The signature contains ltIP protocol number,
    destination port number, byte sequencegt
  • For the same IP protocol and destination port
    number, byte sequence in flow is matched against
    signature

9
Autograph contd..
  • Suspicious flow is divided into smaller content
    blocks and the number of suspicious flow in which
    each content block occurs is counted.
  • The content block is ranked according to its
    prevalence, higher the count, higher the
    prevalence.
  • The most frequently occurring content block is
    used as the signature.

10
Problem
  • Not effective for Polymorphic worm
  • Quality of the signature depends upon the size of
    the content block

11
Ploygraph
  • Based on matching multiple invariant substrings
  • Effective for Polymorphic worms

12
Architecture of Polygraph monitor
Reference fig 41
13
Polygraph contd..
  • Network flow classification
  • Preprocessing token extraction
  • Signature generation- 3 methods
  • Conjunction signature
  • Token Subsequence signature
  • Bayes signature

14
Conjunction signature
  • Worm sample should match all the tokens in
    signature, unordered
  • Signature generated by extracting all distinct
    tokens that are found in all samples in the
    suspicious pool

15
Token Subsequence signature
  • Worm sample should match all the tokens in
    signature in the same order
  • Signature generated by finding the ordered
    sequence of tokens present in every sample in the
    suspicious pool iterative applying string
    alignment algorithm.

16
Bayes signature
  • Based on Probabilistic matching
  • Two types of probabilities calculated for each
    token
  • probability that the token is present in the
    suspicious flow
  • probability that it is present in the innocuous
    flow
  • Each token is associated with the score and
    threshold

17
Hamsa
Reference 2 3
18
Hamsa contd..
Reference 33
19
Hamsa contd
  • Fast extracts tokens that at occurs at least ?
    fraction of all the flow

20
Based On Structure of Executables
21
Structure of Executables Based
  • Problems
  • Metamorphic nature of worm
  • Substitution of equivalent codes in decryption
    routine
  • Solution
  • Look for the executables codes instead of byte
    string

22
Basic Steps
  • Basic Blocks Extracted
  • Control Flow Graph (CFG) is constructed
  • Color code to each node of CFG is assigned
  • Fingerprint is saved in a table
  • Number of same fingerprint exceeds threshold,
    identified as worm

23
Executable Codes Region Extraction
  • Codes are different for different architecture
    like x86, MIPS, Alpha
  • Only x86 is investigated
  • Steps
  • Entire network stream taken
  • k-sub graph created

24
k-Sub Graph Generation
  • Sub Graph length k
  • advantage removes useless trees
  • Spanning tree taking any node as root is created
  • All possible variations of tree keeping root same
    is generated

25
Fingerprint Generation
Reference Fig 44
26
Color Code Assignment
  • 14 bit color code
  • Corresponding bit is Set if code belongs to that
    class
  • Code is appended to the matrix to generate
    fingerprint

27
Detection
  • Fingerprint is used to index the table
  • Source Destination IP pair is saved
  • Number of same fingerprint exceeds threshold,
    worm alert is raised

28
Evaluation
  • 128.673495 per KB fingerprints generated for
    executable streams
  • Only 0.1 Mismatch collision
  • False Alarm Rate
  • Threshold 3 12661 False Alarms
  • Threshold 21 22 False Alarms
  • False Alarms due to same binary files accessed
    heavily

29
Evaluation contd..
  • ADMmutate Engine
  • 66 Instance out of 100 share same fingerprint
  • 31 Instance share another fingerprint
  • 3 have unique ones
  • Different Signatures due to different color codes

30
Prototype Problems
  • Offline Process
  • Executable code synchronization problem
  • Size of k is critical
  • Susceptible to code class

31
Conclusion
  • Autograph prototype cant detect polymorphic worm
  • Polygraph can detect polymorphic worm but with
    some constraints
  • Hamsa claims to be faster and better than
    Polygraph
  • Structure based also can detect but is offline

32
References
  • J. Newsome, B. Karp and D. Song, Polygraph
    Automatically Generating Signatures for
    Polymorphic Worms, 2005 IEEE Symposium on
    Security and Privacy, May 2005,pp 226 -241
  • H. Kim, B. Karp, Autograph Toward Automated,
    Distributed Worm Signature Detection, In
    proceedings of 13th USENIX Security Symposium,
    Aug 2005
  • Z. Li, M. Sanghi, Y. Chen, M.. Kao and B.
    Chavez, Hamsa Fast Signature Generation for
    Zero-day PolymorphicWorms with Provable Attack
    Resilience, 2006 IEEE Symposium on Security and
    Privacy, May 2005,pp 32 -47
  • C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and
    G. Vigna, "Polymorphic Worm Detection Using
    Structural Information of Executables", Eighth
    International Symposium on Recent Advances in
    Intrusion Detection, Sep 2005
  • C. Kreibich and J. Crowcrof, Honeycomb creating
    intrusion detection signatures using honeypots,
    In proc of Second Workshop on Hot Topics in
    Network (HoneyNets-II),Nov 2003
  • S. Singh, C. Estan, G. Varghese and S. Savage,
    Automated worm fingerprinting, In proc of 6th
    ACM/USENIX Symposium on Operating System Design
    and implementation (OSDI),Dec. 2004

33
Any Questions ?
34
Thank You!
Write a Comment
User Comments (0)
About PowerShow.com