Skip to main content

PolyI-D: Polymorphic Worm Detection Based on Instruction Distribution

  • Conference paper
Information Security Applications (WISA 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4298))

Included in the following conference series:

Abstract

With lack of diversity in platforms and softwares running in Internet-attached hosts, Internet worms can spread all over the world in just a few minutes. Many researchers suggest the signature-based Network Intrusion Detection System(NIDS) to defend the network against it. However, the polymorphic worm evolved from the traditional Internet worm was devised to evade signature-based detection schemes, which actually makes NIDS useless. Some schemes are proposed for detecting it, but they have some shortcomings such as belated detection and huge overhead.

In this paper, we propose a new system, called PolyI-D, that detects the polymorphic worm through some tests based on instruction distribution in real-time with little overhead. This is particularly suitable even for fast spread and continuously mutated worms.

This research was supported by the MIC(Ministry of Information and Communication), Korea, under the ITRC(Information Technology Research Center) support program supervised by the IITA(Institute of Information Technology Assessment).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. DeTristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.V.: Polymorphic shellcode engine using spectrum analysis (2003), http://www.phrack.org/show.php?p=61&a=9

  2. Macaulay, S.: Admmutate: Polymorphic shellcode engine (2001), http://www.ktwo.ca/security.html

  3. Kolesnikov, M., Lee, W.: Advanced polymorphic worms: evading ids by blending in with normal traffic. Technical report, Georgia Tech College of Computing (2004)

    Google Scholar 

  4. Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, Berkeley, CA, USA, pp. 149–167. USENIX Association (2002)

    Google Scholar 

  5. Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on Computer and Communications Security (CCS), Washington, DC, USA, pp. 138–147. ACM Press, New York (2002)

    Chapter  Google Scholar 

  6. Venkataraman, S., Song, D., Gibbons, P., Blum, A.: New streaming algorithms for fast detection of superspreaders. In: Network and Distributied System Symposium (NDSS) (2005)

    Google Scholar 

  7. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium (2004)

    Google Scholar 

  8. Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Network and Distributed System Symposium (NDSS) (2005)

    Google Scholar 

  9. Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levin, J., Owen, H.: Honeystat: local worm detection using honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 39–58. Springer, Heidelberg (2004)

    Google Scholar 

  10. Williamson, M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), Washington, DC, USA, p. 61. IEEE Computer Society Press, Los Alamitos (2002)

    Chapter  Google Scholar 

  11. Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of annual joint conference of the IEEE Computer and Communications Societies (INFOCOM), San Fancisco, CA, IEEE Computer Society Press, Los Alamitos (2003)

    Google Scholar 

  12. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceeding of 6th symposium on Operating System Design and Implementation (OSDI) (2004)

    Google Scholar 

  13. Kim, H.A., Autograph, B.K.: Autograph: Toward automated, distributed worm signature detection. In: Proceeding of 13th USENIX Security Symposium (2004)

    Google Scholar 

  14. Stampf, N.: Worms of the future: trying to exorcise the worst (2003)

    Google Scholar 

  15. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium (2003)

    Google Scholar 

  16. Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  17. Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  18. Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.: Stride: Polymorphic sled detection through instruction sequence analysis. In: 20th IFIP International Information Security Conference. IFIP TC11 20th International Information Security Conference, May 30 – June 1, 2005. IFIP International Federation for Information Processing, vol. 181, Springer, Boston (2005)

    Google Scholar 

  19. One, A.: Smashing the stack for fun and profit (1996), http://www.phrack.org/show.php?p=49&a=14

Download references

Author information

Authors and Affiliations

Authors

Editor information

Jae Kwang Lee Okyeon Yi Moti Yung

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer Berlin Heidelberg

About this paper

Cite this paper

Lee, K.H., Kim, Y., Hong, S.J., Kim, J. (2007). PolyI-D: Polymorphic Worm Detection Based on Instruction Distribution . In: Lee, J.K., Yi, O., Yung, M. (eds) Information Security Applications. WISA 2006. Lecture Notes in Computer Science, vol 4298. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-71093-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-71093-6_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-71092-9

  • Online ISBN: 978-3-540-71093-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics