Abstract
To prevent worms from propagating rapidly, it is essential to generate worm signatures quickly and accurately. However, existing methods for generating worm signatures either cannot handle noise well or assume there is only one kind of worm sequence in the suspicious flow pool. We propose an approach based on seed extending signature generation (SESG) to generate polymorphic worm signatures from a suspicious flow pool which includes several kinds of worm and noise sequences. The proposed SESG algorithm computes the weight of every sequence, the sequences are queued based on their weight, and then classified. Worm signatures are then generated from the classified worm sequences. We compare SESG with other approaches. SESG can classify worm and noise sequences from a suspicious flow pool, and generate effective worm signatures more easily.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. Comput. Netw. 51(12), 3471–3490 (2007)
Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of ACM Conference on Computer and Communications Security (CCS 2012), New Carolina, pp. 833–844, October 2012
Sun, W.C., Chen, Y.M.: A rough set approach for automatic key attributes indentification of zero-day polymorphic worms. Expert Syst. Appl. 36(3), 4672–4679 (2009)
Mohammed, M.M.Z.E., Chan, H.A., Ventura, N., Hashim, M., Bashier, E.: Fast and accurate detection for polymorphic worms. In: Proceedings of Internetional Conference for Internet Technology and Secured Transactions, pp. 1–6 (2010)
Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci, A.: Combining supervised and unsupervised learning for zero-day malware detection. In: Proceedings of 32nd Annual IEEE International Conference on Computer Communications (INFOCOM 2013), Turin, Italy, pp. 2022–2030, April 2013
Bayoglu, B., Sogukpinar, L.: Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw. 56(2), 832–844 (2012)
Tang, Y., Xiao, B., Lu, X.: Signature tree generation for polymorphic worms. IEEE Trans. Comput. 60(4), 565–579 (2011)
Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)
Cai, M., Hwang, K., Pan, J., Christos, P.: WormShield: fast worm signature generation with distributed fingerprint aggregation. IEEE Trans. Dependable Secure Comput. 5(2), 88–104 (2007)
Ranjan, S., Shah, S., Nucci, A., Munafo, M., Cruz, R., Muthukrishnan, S.: DoWitcher: effective worm detection and containment in the internet core. In: IEEE Infocom, Anchorage, Alaskapp, pp. 2541–2545 (2007)
Portokalidis, G., Bos, H.: SweetBait: zero-hour worm detection and containment using low- and high-interaction honeypots. Comput. Netw. 51(11), 1256–1274 (2007)
Yegneswaran, V., et al.: An architecture for generating semantics-aware signatures. In: Proceedings of the 14th conference on USENIX Security Symposium. USENIX Association, Berkeley (2005)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generation signatures for polymorphic worms. In: Proceedings of 2005 IEEE Symposium on Security and Privacy Symposium, Oakland, pp. 226–241 (2005)
Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of IEEE Symposium on Security and Privacy, Washington, DC, pp. 32–47 (2006)
Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: LISABETH: automatedcontent-based signature generator for zero-day polymorphic worms. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, Leipzig, pp. 41–48 (2008)
Bayoglu, B., Sogukpinar, L.: Polymorphic worm detection using token-pair signatures. In: Proceedings of the 4th International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Sorrento, Italy, pp. 7–12 (2008)
Wang, J., Wang, J.X., Chen, J.E., Zhang, X.: An automated signature generation approach for polymorphic worm based on color coding. J. Softw. 21(10), 2599–2609 (2010)
Tang, Y., Xiao, B., Lu, X.: Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. Comput. Secur. 288, 827–842 (2009)
Tang, Y., Chen, S.: An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18, 879–892 (2007)
Wang, J., Wang, J.X., Sheng, Y., Chen, J.E.: Novel approach based on neighborhood relation signature against polymorphic internet worms. J. Commun. 32(8), 150–158 (2011)
Acknowledgments
This work is supported by National Natural Science Foundation of China under Grant No.61202495.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Wang, J., He, X. (2016). A Signature Generation Approach Based on Clustering for Polymorphic Worm. In: Yung, M., Zhang, J., Yang, Z. (eds) Trusted Systems. INTRUST 2015. Lecture Notes in Computer Science(), vol 9565. Springer, Cham. https://doi.org/10.1007/978-3-319-31550-8_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-31550-8_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-31549-2
Online ISBN: 978-3-319-31550-8
eBook Packages: Computer ScienceComputer Science (R0)