Abstract
The quick spreading of modern sophisticated polymorphic worms poses a serious threat to the internet security. So far, several signature classes have been proposed to face this challenge. Although taking patterns such as 1-byte invariants and distance restrictions into signature classes are considered in the previous schemes, they do not consider the set of specific values, which are important in the successful execution of a worm. In this paper, we introduce a new signature type, called ERES (Extended Regular Expression Signature). By considering all the above specifications, along with the probability of being a worm, in the worm signature, ERES generates a more specific signature leading to a more accurate detection. In addition, to accelerate the signature extraction process, it combines token extraction with sequence alignment. Evaluations based on multiple polymorphic worms demonstrate that this approach is more acceptable in terms of speed, accuracy, and noise tolerance.
Similar content being viewed by others
Notes
True Positives (TP): the number of malicious executables correctly classified as malicious.
True Negatives (TN): the number of benign programs correctly classified as benign.
False Positives (FP): the number of benign programs falsely classified as malicious.
False Negative (FN): the number of malicious executables falsely classified as benign.
References
Mezzour, G., Carley, L.R., Carley, K.M.: Longitudinal analysis of a large corpus of cyber threat descriptions. J. Comput. Virol. Hacking Tech. 12(1), 11–22 (2016)
Symantec internet security threat report. Technical report, Symantec Corporation (2018)
Eskandari, R., Shajari., M., Asadi, A.: Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches. In: 2015 7th Conference on Information and Knowledge Technology (IKT), pp. 1–6, 26–28 May 2015. https://doi.org/10.1109/ikt.2015.7288733
Gaudesi, M., et al.: Challenging anti-virus through evolutionary malware obfuscation. In: European Conference on the Applications of Evolutionary Computation. Springer, Cham (2016)
Barría, C., et al.: Proposed classification of malware, based on obfuscation. In: 2016 6th International Conference on Computers Communications and Control (ICCCC). IEEE (2016)
Tang, Y., Lu, X., Xiao, G.: Generating simplified regular expression signatures for polymorphic worms. Auton. Trust. Comput. 4610, 78–488 (2007)
Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. IEEE Commun. Surv. Tutor. 16(3), 1520–1549 (2014). https://doi.org/10.1109/surv.2014.022714.00160
Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of IEEE Symposium on Security and Privacy (2006). https://doi.org/10.1109/sp.2006.18
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings IEEE Symposium on Security and Privacy (2005). https://doi.org/10.1109/sp.2005.15
Yegneswaran, V., et al.: An architecture for generating semantics-aware signatures. In: Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2005)
Brumley, D., Wang, H., Jha, S., Song, D.: Creating vulnerability signatures using weakest preconditions. In: Proceedings 20th IEEE Computer Security Foundations Symposium (2007). https://doi.org/10.1109/csf.2007.17
Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of IEEE Symposium on Security and Privacy (2006). https://doi.org/10.1109/sp.2006.41
Wang, X., Li, Z., Xu, J., Reiter, M.K., Kil, C., Choi, J.Y.: Packet vaccine: black-box exploit detection and signature generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (2006). https://doi.org/10.1145/1180405.1180412
Wang, J., He, X.: A signature generation approach based on clustering for polymorphic worm. Trusted Systems. INTRUST 2015. Lecture Notes in Computer Science, vol. 9565. Springer, Cham (2016)
Kim, H., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium, Berkeley, CA, USA, pp. 19–35 (2005)
Cai, M., Hwang, K., Pan, J., Christos, P.: WormShield: fast worm signature generation with distributed fingerprint aggregation. IEEE Trans. Dependable Secure Comput. 5(2), 88–104 (2007)
Ranjan, S., Shah, S., Nucci, A., Munafo, M., Cruz, R., Muthukrishnan, S.: DoWitcher: effective worm detection and containment in the internet core. In: IEEE Infocom, Anchorage, Alaskapp, pp. 2541–2545 (2007)
Portokalidis, G., Bos, H.: SweetBait: zero-hour worm detection and containment using low- and high-interaction honeypots. Comput. Netw. 51(11), 1256–1274 (2007)
Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: LISABETH: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of SESS’08, pp. 41–48 (2008)
Zhang, J., Duan, H., Wang, L., Guan, Y., Wu, J.: A fast method of signature generation for polymorphic worms. In: International Conference on Computer and Electrical Engineering (2008)
Bayoglu, B., Sogukpinar, I.: Polymorphic worm detection using token-pair signatures. In: Proceedings 4th International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (2008). https://doi.org/10.1145/1387329.1387331
Wang, J., Wang, J.X., Chen, J.E., Zhang, X.: An automated signature generation approach for polymorphic worm based on color coding. J. Softw. 21(10), 2599–2609 (2010)
Tang, Y., Xiao, B., Lu, X.: Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. Comput. Secur. 28(8), 827–842 (2009)
Bayoglu, B., Sogukpinar, I.: Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw. Int. J. Comput. Telecommun. Netw. 56(2), 832844 (2012)
Tang, Y., Chen, S.: An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18(7), 879–892 (2007)
Wang, J., Sheng, Y., Chen, J.: Polymorphic worm detection using signatures based on neighborhood relation. In: Proceedings 11th IEEE International Conference on High Performance Computing and Communications (2009). https://doi.org/10.1109/icnp.2007.4375847
Silalahi, D., Asnar, Y., Perdana, R.S.: Rule generator for IPS by using honeypot to fight polymorphic worm. In: 2017 International Conference on Data and Software Engineering (ICoDSE), pp. 1–5. IEEE (2017)
Crandall, J.R., Su, Z., Wu, S.F.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM Conference (2005). https://doi.org/10.1145/1102120.1102152
Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: Proceedings 10th ACM Conference on Computer and Communications Security (2003). https://doi.org/10.1145/948109.948145
Kumar, S.D., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2006). https://doi.org/10.1145/1159913.1159952
Notredame, C.: Recent progress in multiple sequence alignment: a survey. Pharmacogenomics 3(1), 131–144 (2002)
Nan, L., Chunhe, X., Yi, Y., Haiquan, W.: An algorithm for generation of attack signatures based on sequences alignment. In: Proceedings International Conference on Computer Science and Software Engineering (2008). https://doi.org/10.4236/jsea.2008.11011
Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 48, 443–453 (1970)
Saitou, N., Nei, M.: The neighbor-joining method: a new method for reconstructing phylogenetic trees. Mol. Biol. Evol. 4, 406 (1987)
Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic diagnosis and response to memory corruption vulnerabilities. In: Proceedings 12th ACM Conference on Computer and Communications Security (2005). https://doi.org/10.1145/1102120.1102151
Lin, W.C., Ke, S.W., Tsai, C.F.: CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl.-Based Syst. 78, 13–21 (2015)
The darpa98 and kddcup99 datasets. http://www.ll.mit.edu/ideval/data/1998data.html. Accessed 14 Apr 2019
The NSLKDD dataset. https://web.archive.org/web/20150205070216/, http://nsl.cs.unb.ca/NSL-KDD/. Accessed 14 Apr 2019
The CAIDA datasets. https://www.caida.org/data/. Accessed 14 Apr 2019
The DEFCON dataset. http://www.netresec.com/?page=PcapFiles. Accessed 14 Apr 2019
The LBNL dataset. http://powerdata.lbl.gov/download.html. Accessed 14 Apr 2019
The UNIBS dataset. http://netweb.ing.unibs.it/ntw/tools/traces/. Accessed 14 Apr 2019
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Towards generating real-life datasets for network intrusion detection. IJ Netw. Secur. 17(6), 683–701 (2015)
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)
The ISCX dataset. http://www.unb.ca/research/iscx/dataset/iscx-IDS-dataset.html. Accessed 14 Apr 2019
The DARPA-2009 dataset. DARPA scalable network monitoring (SNM) program traffic. Packet clearing house. 11/3/2009 to 11/12/2009. https://www.predict.org/. Accessed 14 Apr 2019
The CDX datasets. https://www.usma.edu/crc/SitePages/DataSets.aspx. Accessed 14 Apr 2019
The CTU-13 dataset. https://www.usma.edu/crc/SitePages/DataSets.aspx. Accessed 14 Apr 2019
Gogoi, P., Bhuyan, M.H., Bhattacharyya, D., Kalita, J.K.: Packet and flow based network intrusion dataset. In: International Conference on Contemporary Computing. Springer, pp. 322–334 (2012)
The Metasploit Project (2007). http://www.metasploit.com. Accessed 14 Apr 2019
Jempiscodes—A Polymorphic Shellcode Generator (2007). http://www.shellcode.com.ar/en/proyectos.html. Accessed 14 Apr 2019
Piotr Bania. TAPiON. http://pb.specialised.info/all/tapion/. Accessed 14 Apr 2019
Macaulay, S.: ADMMutate: Polymorphic Shellcode Engine (2007). http://www.ktwo.ca/security.html
Detristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.S.V.: Polymorphic Shellcode Engine Using Spectrum Analysis (2007). http://www.phrack.org/show.php?p=61&a=9
https://www.sku.ac.ir/File/25463/_ERESDataGeneration. Accessed 14 Apr 2019
https://www.sku.ac.ir/File/25465/EREStestScenarios. Accessed 14 Apr 2019
https://www.sku.ac.ir/File/25468/ERES_testScript. Accessed 14 Apr 2019
Xiaosong, Z., Ting, C., Dapeng, C., Zhi, L.: SISG: self-immune automated signature generation for polymorphic worms. COMPEL Int. J. Comput. Math. Electr. Electron. Eng. 29(2), 445–467 (2010)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Eskandari, R., Shajari, M. & Ghahfarokhi, M.M. ERES: an extended regular expression signature for polymorphic worm detection. J Comput Virol Hack Tech 15, 177–194 (2019). https://doi.org/10.1007/s11416-019-00330-1
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-019-00330-1