Skip to main content
SpringerLink
Log in

ERES: an extended regular expression signature for polymorphic worm detection

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

The quick spreading of modern sophisticated polymorphic worms poses a serious threat to the internet security. So far, several signature classes have been proposed to face this challenge. Although taking patterns such as 1-byte invariants and distance restrictions into signature classes are considered in the previous schemes, they do not consider the set of specific values, which are important in the successful execution of a worm. In this paper, we introduce a new signature type, called ERES (Extended Regular Expression Signature). By considering all the above specifications, along with the probability of being a worm, in the worm signature, ERES generates a more specific signature leading to a more accurate detection. In addition, to accelerate the signature extraction process, it combines token extraction with sequence alignment. Evaluations based on multiple polymorphic worms demonstrate that this approach is more acceptable in terms of speed, accuracy, and noise tolerance.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. True Positives (TP): the number of malicious executables correctly classified as malicious.

    True Negatives (TN): the number of benign programs correctly classified as benign.

    False Positives (FP): the number of benign programs falsely classified as malicious.

    False Negative (FN): the number of malicious executables falsely classified as benign.

References

  1. Mezzour, G., Carley, L.R., Carley, K.M.: Longitudinal analysis of a large corpus of cyber threat descriptions. J. Comput. Virol. Hacking Tech. 12(1), 11–22 (2016)

    Article  Google Scholar 

  2. Symantec internet security threat report. Technical report, Symantec Corporation (2018)

  3. Eskandari, R., Shajari., M., Asadi, A.: Automatic signature generation for polymorphic worms by combination of token extraction and sequence alignment approaches. In: 2015 7th Conference on Information and Knowledge Technology (IKT), pp. 1–6, 26–28 May 2015. https://doi.org/10.1109/ikt.2015.7288733

  4. Gaudesi, M., et al.: Challenging anti-virus through evolutionary malware obfuscation. In: European Conference on the Applications of Evolutionary Computation. Springer, Cham (2016)

  5. Barría, C., et al.: Proposed classification of malware, based on obfuscation. In: 2016 6th International Conference on Computers Communications and Control (ICCCC). IEEE (2016)

  6. Tang, Y., Lu, X., Xiao, G.: Generating simplified regular expression signatures for polymorphic worms. Auton. Trust. Comput. 4610, 78–488 (2007)

    Google Scholar 

  7. Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. IEEE Commun. Surv. Tutor. 16(3), 1520–1549 (2014). https://doi.org/10.1109/surv.2014.022714.00160

    Article  Google Scholar 

  8. Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of IEEE Symposium on Security and Privacy (2006). https://doi.org/10.1109/sp.2006.18

  9. Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings IEEE Symposium on Security and Privacy (2005). https://doi.org/10.1109/sp.2005.15

  10. Yegneswaran, V., et al.: An architecture for generating semantics-aware signatures. In: Proceedings of the 14th Conference on USENIX Security Symposium. USENIX Association, Berkeley (2005)

  11. Brumley, D., Wang, H., Jha, S., Song, D.: Creating vulnerability signatures using weakest preconditions. In: Proceedings 20th IEEE Computer Security Foundations Symposium (2007). https://doi.org/10.1109/csf.2007.17

  12. Brumley, D., Newsome, J., Song, D., Wang, H., Jha, S.: Towards automatic generation of vulnerability-based signatures. In: Proceedings of IEEE Symposium on Security and Privacy (2006). https://doi.org/10.1109/sp.2006.41

  13. Wang, X., Li, Z., Xu, J., Reiter, M.K., Kil, C., Choi, J.Y.: Packet vaccine: black-box exploit detection and signature generation. In: Proceedings of the 13th ACM Conference on Computer and Communications Security (2006). https://doi.org/10.1145/1180405.1180412

  14. Wang, J., He, X.: A signature generation approach based on clustering for polymorphic worm. Trusted Systems. INTRUST 2015. Lecture Notes in Computer Science, vol. 9565. Springer, Cham (2016)

  15. Kim, H., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium, Berkeley, CA, USA, pp. 19–35 (2005)

  16. Cai, M., Hwang, K., Pan, J., Christos, P.: WormShield: fast worm signature generation with distributed fingerprint aggregation. IEEE Trans. Dependable Secure Comput. 5(2), 88–104 (2007)

    Article  Google Scholar 

  17. Ranjan, S., Shah, S., Nucci, A., Munafo, M., Cruz, R., Muthukrishnan, S.: DoWitcher: effective worm detection and containment in the internet core. In: IEEE Infocom, Anchorage, Alaskapp, pp. 2541–2545 (2007)

  18. Portokalidis, G., Bos, H.: SweetBait: zero-hour worm detection and containment using low- and high-interaction honeypots. Comput. Netw. 51(11), 1256–1274 (2007)

    Article  MATH  Google Scholar 

  19. Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: LISABETH: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of SESS’08, pp. 41–48 (2008)

  20. Zhang, J., Duan, H., Wang, L., Guan, Y., Wu, J.: A fast method of signature generation for polymorphic worms. In: International Conference on Computer and Electrical Engineering (2008)

  21. Bayoglu, B., Sogukpinar, I.: Polymorphic worm detection using token-pair signatures. In: Proceedings 4th International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing (2008). https://doi.org/10.1145/1387329.1387331

  22. Wang, J., Wang, J.X., Chen, J.E., Zhang, X.: An automated signature generation approach for polymorphic worm based on color coding. J. Softw. 21(10), 2599–2609 (2010)

    Google Scholar 

  23. Tang, Y., Xiao, B., Lu, X.: Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. Comput. Secur. 28(8), 827–842 (2009)

    Article  Google Scholar 

  24. Bayoglu, B., Sogukpinar, I.: Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw. Int. J. Comput. Telecommun. Netw. 56(2), 832844 (2012)

    Google Scholar 

  25. Tang, Y., Chen, S.: An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18(7), 879–892 (2007)

    Article  Google Scholar 

  26. Wang, J., Sheng, Y., Chen, J.: Polymorphic worm detection using signatures based on neighborhood relation. In: Proceedings 11th IEEE International Conference on High Performance Computing and Communications (2009). https://doi.org/10.1109/icnp.2007.4375847

  27. Silalahi, D., Asnar, Y., Perdana, R.S.: Rule generator for IPS by using honeypot to fight polymorphic worm. In: 2017 International Conference on Data and Software Engineering (ICoDSE), pp. 1–5. IEEE (2017)

  28. Crandall, J.R., Su, Z., Wu, S.F.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the 12th ACM Conference on Computer and Communications Security. ACM Conference (2005). https://doi.org/10.1145/1102120.1102152

  29. Sommer, R., Paxson, V.: Enhancing byte-level network intrusion detection signatures with context. In: Proceedings 10th ACM Conference on Computer and Communications Security (2003). https://doi.org/10.1145/948109.948145

  30. Kumar, S.D., Dharmapurikar, S., Yu, F., Crowley, P., Turner, J.: Algorithms to accelerate multiple regular expressions matching for deep packet inspection. In: Proceedings Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2006). https://doi.org/10.1145/1159913.1159952

  31. Notredame, C.: Recent progress in multiple sequence alignment: a survey. Pharmacogenomics 3(1), 131–144 (2002)

    Article  Google Scholar 

  32. Nan, L., Chunhe, X., Yi, Y., Haiquan, W.: An algorithm for generation of attack signatures based on sequences alignment. In: Proceedings International Conference on Computer Science and Software Engineering (2008). https://doi.org/10.4236/jsea.2008.11011

  33. Needleman, S.B., Wunsch, C.D.: A general method applicable to the search for similarities in the amino acid sequence of two proteins. J. Mol. Biol. 48, 443–453 (1970)

    Article  Google Scholar 

  34. Saitou, N., Nei, M.: The neighbor-joining method: a new method for reconstructing phylogenetic trees. Mol. Biol. Evol. 4, 406 (1987)

    Google Scholar 

  35. Xu, J., Ning, P., Kil, C., Zhai, Y., Bookholt, C.: Automatic diagnosis and response to memory corruption vulnerabilities. In: Proceedings 12th ACM Conference on Computer and Communications Security (2005). https://doi.org/10.1145/1102120.1102151

  36. Lin, W.C., Ke, S.W., Tsai, C.F.: CANN: an intrusion detection system based on combining cluster centers and nearest neighbors. Knowl.-Based Syst. 78, 13–21 (2015)

    Article  Google Scholar 

  37. The darpa98 and kddcup99 datasets. http://www.ll.mit.edu/ideval/data/1998data.html. Accessed 14 Apr 2019

  38. The NSLKDD dataset. https://web.archive.org/web/20150205070216/, http://nsl.cs.unb.ca/NSL-KDD/. Accessed 14 Apr 2019

  39. The CAIDA datasets. https://www.caida.org/data/. Accessed 14 Apr 2019

  40. The DEFCON dataset. http://www.netresec.com/?page=PcapFiles. Accessed 14 Apr 2019

  41. The LBNL dataset. http://powerdata.lbl.gov/download.html. Accessed 14 Apr 2019

  42. The UNIBS dataset. http://netweb.ing.unibs.it/ntw/tools/traces/. Accessed 14 Apr 2019

  43. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Towards generating real-life datasets for network intrusion detection. IJ Netw. Secur. 17(6), 683–701 (2015)

    Google Scholar 

  44. Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31(3), 357–374 (2012)

    Article  Google Scholar 

  45. The ISCX dataset. http://www.unb.ca/research/iscx/dataset/iscx-IDS-dataset.html. Accessed 14 Apr 2019

  46. The DARPA-2009 dataset. DARPA scalable network monitoring (SNM) program traffic. Packet clearing house. 11/3/2009 to 11/12/2009. https://www.predict.org/. Accessed 14 Apr 2019

  47. The CDX datasets. https://www.usma.edu/crc/SitePages/DataSets.aspx. Accessed 14 Apr 2019

  48. The CTU-13 dataset. https://www.usma.edu/crc/SitePages/DataSets.aspx. Accessed 14 Apr 2019

  49. Gogoi, P., Bhuyan, M.H., Bhattacharyya, D., Kalita, J.K.: Packet and flow based network intrusion dataset. In: International Conference on Contemporary Computing. Springer, pp. 322–334 (2012)

  50. The Metasploit Project (2007). http://www.metasploit.com. Accessed 14 Apr 2019

  51. Jempiscodes—A Polymorphic Shellcode Generator (2007). http://www.shellcode.com.ar/en/proyectos.html. Accessed 14 Apr 2019

  52. Piotr Bania. TAPiON. http://pb.specialised.info/all/tapion/. Accessed 14 Apr 2019

  53. Macaulay, S.: ADMMutate: Polymorphic Shellcode Engine (2007). http://www.ktwo.ca/security.html

  54. Detristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.S.V.: Polymorphic Shellcode Engine Using Spectrum Analysis (2007). http://www.phrack.org/show.php?p=61&a=9

  55. https://www.sku.ac.ir/File/25463/_ERESDataGeneration. Accessed 14 Apr 2019

  56. https://www.sku.ac.ir/File/25465/EREStestScenarios. Accessed 14 Apr 2019

  57. https://www.sku.ac.ir/File/25468/ERES_testScript. Accessed 14 Apr 2019

  58. Xiaosong, Z., Ting, C., Dapeng, C., Zhi, L.: SISG: self-immune automated signature generation for polymorphic worms. COMPEL Int. J. Comput. Math. Electr. Electron. Eng. 29(2), 445–467 (2010)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Faculty of Engineering, Shahrekord University, P.O. Box 115, Shahrekord, 88186/34141, Iran

    Razieh Eskandari & Mojtaba Mostafavi Ghahfarokhi

  2. Department of Computer Engineering and Information Technology, Amirkabir University of Technology, Tehran, Iran

    Mahdi Shajari

Authors
  1. Razieh Eskandari
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mahdi Shajari
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mojtaba Mostafavi Ghahfarokhi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Razieh Eskandari.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Eskandari, R., Shajari, M. & Ghahfarokhi, M.M. ERES: an extended regular expression signature for polymorphic worm detection. J Comput Virol Hack Tech 15, 177–194 (2019). https://doi.org/10.1007/s11416-019-00330-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-019-00330-1

Keywords

Search

Navigation