Abstract
Because of complex polymorphism in worms and the disturbance of crafted noises, it becomes more difficult to generate signatures quickly and accurately. This paper proposes a neighbor relation signature (NRS) for polymorphic worms,which is a collection of distance frequency distributions between neighbor byte. Moreover, we propose a signature generation algorithm (NRS-CC) by combing NRS and color coding technique. NRS-CC selects sequences randomly from suspicious flow pool to generate neighbor relation signatures, and then uses color coding technique to get rid of noise disturbance. Extensive experiments are carried out to demonstrate the validity of our approach. The experiment results show that our approach can generate polymorphic signature more quickly compared with existing signature generate approaches when the suspicious flow pool contains noise sequences.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. IEEE Commun. Surv. Tutorials 16(3), 1520–1549 (2014)
Bayoglu, B., Sogukpinar, L.: Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw. 56(2), 832–844 (2012)
Mohammed, M.M.Z.E., Chan, H.A., Ventura, N., Pathan, A.S.K.: An automated signature generation method for zero-day polymorphic worms based on multilayer perceptron model. In: Proceedings of 2013 International Conference on Advanced Computer Science Applications and Technologies (ACSAT), Kuching, pp. 450–455, December 2013
Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci, A.: Combining supervised and unsupervised learning for zero-day malware detection. In: Proceedings of 32nd Annual IEEE International Conference on Computer Communications (INFOCOM 2013), Turin, Italy, pp. 2022–2030, April 2013
Kaur, R., Singh, M.: Efficient hybrid technique for detecting zero-day polymorphic worms. In: Proceedings of 2014 IEEE International on Advance Computing Conference (IACC), pp. 95–100, February 2014
Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of 2006 IEEE Symposium on Security and Privacy, Atlanta, GA, USA, pp. 17–31 (2006)
Stephenson, B., Sikdar, B.: A quasi-species model for the propagation and containment of polymorphic worms. IEEE Trans. Comput. 58(9), 1289–1296 (2009)
Talbi, M., Mejri, M., Bouhoula, A.: Specification and evaluation of polymorphic shellcode properties using a new temporal logic. J. Comput. Virol. 5(3), 171–186 (2009)
Codi, M., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)
Ranjan, S., Shah, S., Nucci, A., Munafo, M., Cruz, R., Muthukrishnan, S.: DoWitcher: effective worm detection and containment in the internet core. In: IEEE Infocom, Anchorage, Alaska, pp. 2541–2545 (2007)
Cai, M., Hwang, K., Pan, J., Christos, P.: WormShield: fast worm signature generation with distributed fingerprint aggregation. IEEE Trans. Dependable Secure Comput. 5(2), 88–104 (2007)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generation signatures for polymorphic worms. In: Proceedings of 2005 IEEE Symposium on Security and Privacy Symposium, Oakland, California, pp. 226–241 (2005)
Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of IEEE Symposium on Security and Privacy, Washington, DC, pp. 32–47 (2006)
Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: LISABETH: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, Leipzig, Germany, pp. 41–48 (2008)
Bayoglu, B., Sogukpinar, L.: Polymorphic worm detection using token-pair signatures. In: Proceedings of the 4th International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Sorrento, Italy, pp. 7–12 (2008)
Tang, Y., Xiao, B., Lu, X.: Signature tree generation for polymorphic worms. IEEE Trans. Comput. 60(4), 565–579 (2011)
Tang, Y., Chen, S.: An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18, 879–892 (2007)
Wang, J., Wang, J.X., Chen, J.E., Zhang, X.: An automated signature generation approach for polymorphic worm based on color coding. In: IEEE ICC 2009, Dresden, Germany, pp. 1–6 (2009)
Acknowledgment
This work is supported by National Natural Science Foundation of China under Grant No.61202495 and No.61402542.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Wang, J., He, X. (2015). A Novel Signature Generation Approach for Polymorphic Worms. In: Wang, G., Zomaya, A., Martinez, G., Li, K. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2015. Lecture Notes in Computer Science(), vol 9530. Springer, Cham. https://doi.org/10.1007/978-3-319-27137-8_28
Download citation
DOI: https://doi.org/10.1007/978-3-319-27137-8_28
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27136-1
Online ISBN: 978-3-319-27137-8
eBook Packages: Computer ScienceComputer Science (R0)