Survey on Automatic Polymorphic Worms Detection

1
Survey on Automatic Polymorphic Worms Detection

• Nilam Chand
• Puspa Mahat

2
Introduction

• Worms
• One of the major threats for the security of the
  current networks.
• Designed to exploit certain vulnerabilities found
  in many hosts on the internet
• Polymorphic Worms
• Can change their appearance in each instance

3
Detection of Worms

• Use of Intrusion detection system (IDS) such as
  Bro and Snort that use signature database

4
Problem and Solution

• Signature generation is human labor intensive
• Frequent database update required
• Slow response for detection of novel worms
• New threats like Polymorphic worm
• Solution
• Automatic generation of Signatures

5
Characteristic of worms

• Replicate within a few minutes or even seconds
• Voluminous
• Contain some invariant byte strings needed to
  exploit vulnerability

6
Automatic signature generation approaches

• Content based detection
• Autograph
• Polygraph
• Hamsa
• Structure based detection

7
Content Based Detection
8
Autograph

• Based on single string matching
• Consists of two phases -suspicious flow selection
  and signature generation
• Suspicious flow generation using port scanning
• The signature contains ltIP protocol number,
  destination port number, byte sequencegt
• For the same IP protocol and destination port
  number, byte sequence in flow is matched against
  signature

9
Autograph contd..

• Suspicious flow is divided into smaller content
  blocks and the number of suspicious flow in which
  each content block occurs is counted.
• The content block is ranked according to its
  prevalence, higher the count, higher the
  prevalence.
• The most frequently occurring content block is
  used as the signature.

10
Problem

• Not effective for Polymorphic worm
• Quality of the signature depends upon the size of
  the content block

11
Ploygraph

• Based on matching multiple invariant substrings
• Effective for Polymorphic worms

12
Architecture of Polygraph monitor
Reference fig 41
13
Polygraph contd..

• Network flow classification
• Preprocessing token extraction
• Signature generation- 3 methods
• Conjunction signature
• Token Subsequence signature
• Bayes signature

14
Conjunction signature

• Worm sample should match all the tokens in
  signature, unordered
• Signature generated by extracting all distinct
  tokens that are found in all samples in the
  suspicious pool

15
Token Subsequence signature

• Worm sample should match all the tokens in
  signature in the same order
• Signature generated by finding the ordered
  sequence of tokens present in every sample in the
  suspicious pool iterative applying string
  alignment algorithm.

16
Bayes signature

• Based on Probabilistic matching
• Two types of probabilities calculated for each
  token
• probability that the token is present in the
  suspicious flow
• probability that it is present in the innocuous
  flow
• Each token is associated with the score and
  threshold

17
Hamsa
Reference 2 3
18
Hamsa contd..
Reference 33
19
Hamsa contd

• Fast extracts tokens that at occurs at least ?
  fraction of all the flow

20
Based On Structure of Executables
21
Structure of Executables Based

• Problems
• Metamorphic nature of worm
• Substitution of equivalent codes in decryption
  routine
• Solution
• Look for the executables codes instead of byte
  string

22
Basic Steps

• Basic Blocks Extracted
• Control Flow Graph (CFG) is constructed
• Color code to each node of CFG is assigned
• Fingerprint is saved in a table
• Number of same fingerprint exceeds threshold,
  identified as worm

23
Executable Codes Region Extraction

• Codes are different for different architecture
  like x86, MIPS, Alpha
• Only x86 is investigated
• Steps
• Entire network stream taken
• k-sub graph created

24
k-Sub Graph Generation

• Sub Graph length k
• advantage removes useless trees
• Spanning tree taking any node as root is created
• All possible variations of tree keeping root same
  is generated

25
Fingerprint Generation
Reference Fig 44
26
Color Code Assignment

• 14 bit color code
• Corresponding bit is Set if code belongs to that
  class
• Code is appended to the matrix to generate
  fingerprint

27
Detection

• Fingerprint is used to index the table
• Source Destination IP pair is saved
• Number of same fingerprint exceeds threshold,
  worm alert is raised

28
Evaluation

• 128.673495 per KB fingerprints generated for
  executable streams
• Only 0.1 Mismatch collision
• False Alarm Rate
• Threshold 3 12661 False Alarms
• Threshold 21 22 False Alarms
• False Alarms due to same binary files accessed
  heavily

29
Evaluation contd..

• ADMmutate Engine
• 66 Instance out of 100 share same fingerprint
• 31 Instance share another fingerprint
• 3 have unique ones
• Different Signatures due to different color codes

30
Prototype Problems

• Offline Process
• Executable code synchronization problem
• Size of k is critical
• Susceptible to code class

31
Conclusion

• Autograph prototype cant detect polymorphic worm
• Polygraph can detect polymorphic worm but with
  some constraints
• Hamsa claims to be faster and better than
  Polygraph
• Structure based also can detect but is offline

32
References

• J. Newsome, B. Karp and D. Song, Polygraph
  Automatically Generating Signatures for
  Polymorphic Worms, 2005 IEEE Symposium on
  Security and Privacy, May 2005,pp 226 -241
• H. Kim, B. Karp, Autograph Toward Automated,
  Distributed Worm Signature Detection, In
  proceedings of 13th USENIX Security Symposium,
  Aug 2005
• Z. Li, M. Sanghi, Y. Chen, M.. Kao and B.
  Chavez, Hamsa Fast Signature Generation for
  Zero-day PolymorphicWorms with Provable Attack
  Resilience, 2006 IEEE Symposium on Security and
  Privacy, May 2005,pp 32 -47
• C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and
  G. Vigna, "Polymorphic Worm Detection Using
  Structural Information of Executables", Eighth
  International Symposium on Recent Advances in
  Intrusion Detection, Sep 2005
• C. Kreibich and J. Crowcrof, Honeycomb creating
  intrusion detection signatures using honeypots,
  In proc of Second Workshop on Hot Topics in
  Network (HoneyNets-II),Nov 2003
• S. Singh, C. Estan, G. Varghese and S. Savage,
  Automated worm fingerprinting, In proc of 6th
  ACM/USENIX Symposium on Operating System Design
  and implementation (OSDI),Dec. 2004

33
Any Questions ?
34
Thank You!