Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms

doi:10.1016/j.cose.2009.06.003

Computers & Security

Volume 28, Issue 8, November 2009, Pages 827-842

https://doi.org/10.1016/j.cose.2009.06.003 Get rights and content

Abstract

In this paper, we propose Simplified Regular Expression (SRE) signature, which uses multiple sequence alignment techniques, drawn from bioinformatics, in a novel approach to generating more accurate exploit-based signatures. We also provide formal definitions of what is “a more specific” and what is “the most specific” signature for a polymorphic worm and show that the most specific exploit-based signature generation is NP-hard. The approach involves three steps: multiple sequence alignment to reward consecutive substring extractions, noise elimination to remove noise effects, and signature transformation to make the SRE signature compatible with current IDSs. Experiments on a range of polymorphic worms and real-world polymorphic shellcodes show that our bioinformatics approach is noise-tolerant and as that because it extracts more polymorphic worm characters, like one-byte invariants and distance restrictions between invariant bytes, the signatures it generates are more accurate and precise than those generated by some other exploit-based signature generation schemes.

Introduction

Internet worms propagate over the Internet through infections in which a worm sends a payload (such as a shellcode or a copy of itself) to the target host by exploiting operation system or network service vulnerabilities (Tang et al., 2009). A polymorphic worm is a worm that changes its appearance at each infection, making detection and prevention much harder. One of the most popular and effective ways to detect worms is signature-based detection (also called content-based filtering). The generated signature can be either exploit-based or vulnerability-based: an exploit-based signature describes the characteristics of one or a number of exploits; a vulnerability-based signature describes properties of one vulnerability and can detect all possible exploits utilizing this vulnerability.

Although vulnerability-based signature could be more effective, so far both exploit-based and vulnerability-based signatures have equal importance for worm detection in current IDSs (Vulnerability, 2005) for the following reasons. First, the real vulnerability-based signature¹ can be generated only if a vulnerability is disclosed (Brumley et al., 2006); however an exploit-based signature can be fast and timely generated to detect zero-day exploits of an undisclosed vulnerability. Second, most IDS/anti-virus vendors generate both types of signatures. Through them, we not only know when we were attacked, but how we were attacked by investigating whether an exploit is new or a variant of a well-known exploit. Third, some vulnerability-based signatures cannot be adopted in current IDSs since they require that IDSs are able to perform profound protocol analysis (Crandall et al., 2005). However, this obviously overestimates the capability of current IDSs. On the contrary, it has no such requirement to generate exploit-based signatures and hence exploit-based signature generation systems are more compatible to current IDSs. Compared with manual signature generation, the recently studied automatic signature generation approaches can generate more accurate signatures for worms much faster, especially for polymorphic worms. Thus, this paper will only focus on automatic exploit-based signature generation for polymorphic worms.

We find that currently available exploit-based signature generation approaches may fail to create accurate signatures from collections of exploit samples of polymorphic worms. To understand why, consider a sample of a polymorphic worm (an infection flow) as a string sequence consisting of invariant and wildcard bytes. Invariant bytes have fixed values and are present in every worm sample. In contrast, wildcard bytes change their values in each sample. Fig. 1 shows an example of the polymorphic Code Red II worm, which contains a sequence of seven invariant parts: “GET”, “.ida?”, “XX”, “%u”, “%u780”, “=”, and “HTTP/1.0 r n”. Typically, we would try to extract the invariant parts of polymorphic worms as their signatures, since invariant bytes in a worm flow are composed of a number of invariant parts which are crucial to the exploitation of a vulnerable server (Crandall et al., 2005, Newsome et al., 2005). But this raises two difficulties. First, some invariant parts in polymorphic worms cannot be extracted. Earlier approaches (Kreibich and Crowcroft, 2003, Kim and Karp, 2004, Singh et al., 2004) were able to generate only a single invariant part. More up-to-date approaches (Polygraph (Newsome et al., 2005) and Hamsa (Li et al., 2006)) can extract most invariant parts except for one-byte invariant parts (such as “=” in the Code Red II worm). Second, no approach takes into account all distance restrictions between invariant parts (like ‘‘‘%u780’ is 4 bytes after ‘%u”’ in the Code Red II worm). Yet we might surmise that whether one-byte invariant (signature) parts and distance restrictions are valuable in worm detection. Consider Table 1, which shows part of rules (a rule represents a signature) of two well-known IDSs, Snort and Bro. It can be seen that 40.6% of rules in Snort's exploit.rules file consist of multiple invariant parts, 38.7% contain distance restrictions, and 22% contain one-byte signature parts. These figures suggest that distance restrictions could play a role in worm infections and that signatures generated by previous NSG systems may not be accurate enough to identify worms, resulting in a high rate of false positives.

In this paper, we model the problem of generating accurate exploit-based signature given some zero-day exploits of a new polymorphic worm. We propose a signature type – Simplified Regular Expression (SRE) signature. SRE can be easily transformed to rules in current IDSs to accurately capture polymorphic worms. Based on SRE, we provide formal definitions of what is “a more specific” and what is “the most specific” signature of a polymorphic worm such that we can compare the accuracy of two signatures. We show that it is an NP-hard problem to generate the most specific SRE signature of a polymorphic worm. Our approach proposed in the paper is a network-based and exploit-based scheme to generate SRE signature for a single polymorphic worm. It is a bioinformatics approach, inspired by the multiple sequence alignment techniques (used to identify motifs and domains preserved by evolution) in bioinformatics. The approach consists of three steps: multiple sequence alignment, noise elimination and signature transformation. The multiple sequence alignment step is based on the T-coffee algorithm (Notredame et al., 2000) and our newly proposed CSR (Consecutive Substrings Rewarded) algorithm. CSR is a pairwise alignment algorithm that captures contiguous invariant parts in worm samples. It is an extension of the Needleman–Wunsch algorithm and is based on rewarding consecutive matches. We minimize the impact of noise samples by using a noise elimination algorithm that is relevant to a noise tolerance rate θ. A signature transformation step is used to derive accurate SRE signatures that can be conveniently used in current IDSs. We analyze the complexity of the approach and the impact of its noise tolerance rate θ.

Experiments on a range of polymorphic worms and real-world polymorphic shellcodes show that the SRE signatures generated by our approach are more accurate than those of previous methods, extracting more polymorphic worm characters, including the one-byte invariant and distance restriction, and distinguishes between benign traffic and worm traffic. Our approach is resilient to a small portion of noise samples. Our experiments show that our approach (combining the CSR and T-coffee algorithms) is more accurate than other sequence alignment algorithms with regard to accuracy.

The rest of the paper is organized as follows. We first review the related work in Section 2. In Section 3, we propose the SRE signature and raise the accurate exploit-based signature generation problem. In Section 4, we present a bioinformatics approach that generates accurate SRE signatures given some exploit samples from a polymorphic worm. Section 5 evaluates our approach with and without noise sample interference. We discuss the complexity, the scope and limitation of our approach in Section 6. Finally, Section 7 offers our conclusion.

Section snippets

Polymorphism technique

Polymorphism technique has been exploited to create worm flows and worm writers have started using polymorphic engines in recent years. Published polymorphic shellcode generators include ADMmutate, PHATBOT, Jempiscodes, PHolyP, Clet, TAPiON, and Metasploit. Common techniques used to write polymorphic shellcodes include Garbage and NOP insertions, register shuffling, equivalent code substitution, and encryption/decryption. Although it has been shown that it may be possible to create polymorphic

Accurate exploit-based signature generation problem

In this section, we first propose a new signature – Simplified Regular Expression (SRE) signature. Based on this signature, we formally define what is “a more specific” signature and what is “the most specific” signature to compare SRE signatures. Then we present the accurate exploit-based signature generation problem and we show that the most specific signature generation for polymorphic worms is NP-hard.

A bioinformatics approach to SRE signature generation

In this section, we propose a bioinformatics approach to accurate SRE signature generation for a single polymorphic worm, inspired by some related algorithms from bioinformatics. The kernel of this approach is multiple sequence alignment, which has been broadly studied in bioinformatics where it has been used to find all preserved or common motifs and domains from a set of DNA/RNA sequences (Notredame, 2002). This application is similar to our accurate signature generation problem in which we

Experiments

In this section, we evaluate our bioinformatics approach under different scenarios. After introducing metrics used to measure signature quality, we first evaluate our approach using synthetic polymorphic worms and compare it with previous approaches, like Polygraph (Newsome et al., 2005) and Hamsa (Li et al., 2006). Then, we show the signature generation quality for polymorphic shellcodes, which were constructed by some real-world shellcode engines. We also carried out experiments to test the

Complexity analysis

Suppose that there are N sequences of length L as the input to our signature generation approach. The time complexity of the CSR algorithm is O(L²) and the time complexity of multiple sequence alignment is O(N²L²) + O(N³L) + O(N³) + O(NL²), where O(N²L²) represents the computation involved in the pairwise alignment to build primary library, O(N³L) for library extension, O(N³) for guide tree construction and O(NL²) for the computation of the progressive alignment. Since the time complexity of noise

Conclusion

In this paper, we addressed the problem of generating accurate exploit-based signature for a single polymorphic worm and proposed a novel signature generation method based on multiple sequence alignment – a bioinformatics approach. This approach provides a more powerful method to accurately analyze the intrinsic similarities of worm samples. An IDS can employ such approach to locally generate accurate exploit-based signatures for polymorphic worms and such signatures can be distributed to other

Yong Tang received the B.Sc, M.Sc and Ph.D. degrees in computer science from College of Computer, National University of Defense Technology, China, in 1998, 2002 and 2008 respectively. Now he is a lecturer in the College of Computer, National University of Defense Technology, China. His primary research field is network security, especially on Internet worm attacks, intrusion detection and Honeypot.

References (34)

R. Lippmann et al.
The 1999 darpa off-line intrusion detection evaluation
Comput Networks
(2000)
S.B. Needleman et al.
A general method applicable to the search for similarities in the amino acid sequence of two proteins
Journal of Molecular Biology
(1970)
C. Notredame et al.
T-coffee: a novel method for fast and accurate multiple sequence alignment
Journal of Molecular Biology
(2000)
Brumley D, Newsome J, Song D, Wang H, Jha S. Towards automatic generation of vulnerability-based signatures. In: the...
Costa M, Crowcroft J, Castro M, Rowstron A, Zhou L, Zhang L, Barham P. Vigilante: end-to-end containment of internet...
Crandall JR, Su Z, Wu SF, Chong FT. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm...
DeTristan T, Ulenspiegel T, Malcom Y, von Underduk MS. Polymorphic shellcode engine using spectrum analysis. Phrack...
Kim HA, Karp B. Autograph: toward automated, distributed worm signature detection. In: USENIX security symposium; 2004....
Kreibich C, Crowcroft J. Honeycomb – creating intrusion detection signatures using honeypots. In: The second workshop...
Ktwo, Admmutate: Shellcode mutation engine;...

V.I. Levenshtein

Binary codes capable of correcting deletions, insertions, and reversals

Soviet Physics Doklady

(1966)

Li Z, Sanghi M, Chen Y, Kao MY, Chavez B. Hamsa: fast signature generation for zero-day polymorphic worms with provable...

Li Z, Wang L, Chen Y, Fu Z. Network-based and attack-resilient length signature generation for zero-day polymorphic...

Liang Z, Sekar R. Fast and automated generation of attack signatures: a basis for building self-protecting servers. In:...

Liang Z, Sekar R. Automatic generation of buffer overflow attack signatures: an approach based on program behavior...

Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on...

Newsome J, Karp B, Song D. Polygraph: automatically generating signatures for polymorphic worms. In: the 2005 IEEE...

Cited by (36)

RNNIDS: Enhancing network intrusion detection systems through deep learning
2021, Computers and Security
Citation Excerpt :
Levenshtein distance: this distance metric defines how many substitutions, deletions or insertions are required to transform one string to another one. To assess the similarity of two strings, this metric has been used in the intrusion detection-related literature, e.g., Tang et al. (2009), Cesare and Xiang (2011). Beside that, it has its drawbacks: the main drawback of the Levenshtein algorithm is that it focuses on the global comparison between two strings, i.e., among all the variables in two strings.
Security of information passing through the Internet is threatened by today’s most advanced malware ranging from orchestrated botnets to simpler polymorphic worms. These threats, as examples of zero-day attacks, are able to change their behavior several times in the early phases of their existence to bypass the network intrusion detection systems (NIDS). In fact, even well-designed, and frequently-updated signature-based NIDS cannot detect the zero-day treats due to the lack of an adequate signature database, adaptive to intelligent attacks on the Internet. More importantly, having an NIDS, it should be tested on malicious traffic dataset that not only represents known attacks, but also can to some extent reflect the characteristics of unknown, zero-day attacks. Generating such traffic is identified in the literature as one of the main obstacles for evaluating the effectiveness of NIDS. To address these issues, we introduce RNNIDS that applies Recurrent Neural Networks (RNNs) to find complex patterns in attacks and generate similar ones. In this regard, for the first time, we demonstrate that RNNs are helpful to generate new, unseen mutants of attacks as well as synthetic signatures from the most advanced malware to improve the intrusion detection rate. Besides, to further enhance the design of an NIDS, RNNs can be employed to generate malicious datasets containing, e.g., unseen mutants of a malware. To evaluate the feasibility of our approaches, we conduct extensive experiments by incorporating publicly available datasets, where we show a considerable improvement in the detection rate of an off-the-shelf NIDS (up to 16.67%).
Data collection for attack detection and security measurement in Mobile Ad Hoc Networks: A survey
2018, Journal of Network and Computer Applications
Mobile Ad Hoc Network (MANET) is becoming one type of major next generation wireless networks. Nevertheless, it easily suffers from various attacks due to its specific characteristics. In order to evaluate and measure the security of MANET in real time and make this network react accordingly, a promising alternative is to integrate detection mechanisms that play a role of the second line of defense to detect attacks in MANETs. We note that in most attack detection mechanisms, it is essential and crucial to collect the data related to security for further analysis. If security-related data collection is untrustworthy, attack detection and security measurement might be impacted and disabled. Unfortunately, few existing studies concern security-related data collection in attack detection for the purpose of trustworthy security measurement. The literature lacks a thorough survey on security-related data collection for attack detection and security measurement in MANETs. In this paper, we propose a number of requirements for trustworthy security-related data collection, and then review detection mechanisms in MANETs that were published in recent 20 years. In particular, we employ the proposed requirements as a set of criteria to evaluate the existing work about security-related data collection. Based on the survey and evaluation, we identify a number of open issues and point out future research directions.
Integrating granular computing and bioinformatics technology for typical process routes elicitation: A process knowledge acquisition approach
2015, Engineering Applications of Artificial Intelligence
Citation Excerpt :
In other words, the purpose of sequence alignment is that, through the matching and replacement of characters or the insertion of gaps, two or more sequences are edited to reach the same length so that the identical characters in the different sequences can map one-to-one as much as possible. Therefore, according to the number of sequences to be aligned, sequence alignment is divided into pairwise alignment and multiple alignment (Laih, 2014; Eger, 2013; Tang et al., 2009). For pairwise alignment, the well-known Needleman–Wunsch (NW) algorithm, a dynamic programming-based optimization strategy, is often used to seek a best alignment of two sequences.
Computer-Aided Process Planning (CAPP) plays a significant role in modern manufacturing system, and knowledge-based CAPP system is one of the predominant trends of its development. How to discover and acquire valuable process knowledge from the existing process data by applying data mining methodology is always the key technology and bottleneck issue for improving the application level of knowledge-based CAPP systems. As an important knowledge of process flow, typical process routes have a vital influence on the accuracy and efficiency of part family oriented process planning. In this paper, a novel approach for elicitation of typical process routes through the combination of granular computing theory and bioinformatics technology is put forward. The sequence alignment technology in bioinformatics is used to establish the best alignment between two process routes, based on which their distance is exactly calculated. According to the distances between process routes to be analysed, the neighborhood-based granulation method in granular computing theory is applied to construct a series of process information granular layers with different granularity so as to acquire typical process routes from process information granules contained in an optimal granular layer. Two application examples not only adequately validate the applicability and effectiveness of the proposed approach, but also fully demonstrate its advantages in the quality and efficiency of typical process routes elicitation.
BIOPLAG: An Approach to Detect Programming Plagiarism
2023, Anais da Academia Brasileira de Ciencias
Generation of IDS Signatures through Exhaustive Execution Path Exploration in PoC Codes for Vulnerabilities
2023, Journal of Information Processing
Improved N-gram Algorithm for Unknown Malware Detection
2022, Proceedings - 2022 International Conference on Machine Learning, Cloud Computing and Intelligent Mining, MLCCIM 2022

View all citing articles on Scopus

Bin Xiao received the B.Sc and M.Sc degrees in Electronics Engineering from Fudan University, China. in 1997 and 2000 respectively, and Ph.D. degree from University of Texas at Dallas, USA, in 2003 from Computer Science. Now he is an Assistant Professor in the Department of Computing of Hong Kong Polytechnic University, Hong Kong. His research interests include communication and security in computer networks, peer-topeer networks, wireless mobile ad hoc and sensor networks.

Xicheng Lu received the B.Sc. degree in computer science from Harbin Military Engineering Institute, China, in 1970. He was a visiting scholar at the University of Massachusetts between 1982 and 1984. He is now a professor in College of Computer, National University of Defense Technology, Changsha, China. His research interests include distributed computing, computer networks, parallel computing, network security, etc. He has served as member of editorial boards of several journals and cochaired many professional conferences. He is the joint recipient of more than a dozen academic awards, including four First Class National Scientific and Technological Progress Prize of China. He is an academician of the Chinese Academy of Engineering.

: ^☆The work was partially supported by China 973 Grant No. 2005CB321801, China 863 Grant No. 2009AA01Z432 and HK RGC PolyU 5311/06E.

View full text