Polygraph: Automatically generating signatures for polymorphic worms

It is widely believed that content-signature-based intrusion detection systems (IDSes) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content sub-strings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives. © 2005 IEEE

Improved Detection for Advanced Polymorphic Malware

Malicious Software (malware) attacks across the internet are increasing at an alarming rate. Cyber-attacks have become increasingly more sophisticated and targeted. These targeted attacks are aimed at compromising networks, stealing personal financial information and removing sensitive data or disrupting operations. Current malware detection approaches work well for previously known signatures. However, malware developers utilize techniques to mutate and change software properties (signatures) to avoid and evade detection. Polymorphic malware is practically undetectable with signature-based defensive technologies. Today’s effective detection rate for polymorphic malware detection ranges from 68.75% to 81.25%. New techniques are needed to improve malware detection rates. Improved detection of polymorphic malware can only be accomplished by extracting features beyond the signature realm. Targeted detection for polymorphic malware must rely upon extracting key features and characteristics for advanced analysis. Traditionally, malware researchers have relied on limited dimensional features such as behavior (dynamic) or source/execution code analysis (static). This study’s focus was to extract and evaluate a limited set of multidimensional topological data in order to improve detection for polymorphic malware. This study used multidimensional analysis (file properties, static and dynamic analysis) with machine learning algorithms to improve malware detection. This research demonstrated improved polymorphic malware detection can be achieved with machine learning. This study conducted a number of experiments using a standard experimental testing protocol. This study utilized three advanced algorithms (Metabagging (MB), Instance Based k-Means (IBk) and Deep Learning Multi-Layer Perceptron) with a limited set of multidimensional data. Experimental results delivered detection results above 99.43%. In addition, the experiments delivered near zero false positives. The study’s approach was based on single case experimental design, a well-accepted protocol for progressive testing. The study constructed a prototype to automate feature extraction, assemble files for analysis, and analyze results through multiple clustering algorithms. The study performed an evaluation of large malware sample datasets to understand effectiveness across a wide range of malware. The study developed an integrated framework which automated feature extraction for multidimensional analysis. The feature extraction framework consisted of four modules: 1) a pre-process module that extracts and generates topological features based on static analysis of machine code and file characteristics, 2) a behavioral analysis module that extracts behavioral characteristics based on file execution (dynamic analysis), 3) an input file construction and submission module, and 4) a machine learning module that employs various advanced algorithms. As with most studies, careful attention was paid to false positive and false negative rates which reduce their overall detection accuracy and effectiveness. This study provided a novel approach to expand the malware body of knowledge and improve the detection for polymorphic malware targeting Microsoft operating systems

Distributed Early Worm Detection Based on Payload Histograms

科研費報告書収録論文(課題番号:18300017/研究代表者:根元義章/通信データ列特徴量の類似性に基づいた不正アクセス逆探知方式)68

Detecting Zero-day Polymorphic Worms with Jaccard Similarity Algorithm

Zero-day polymorphic worms pose a serious threat to the security of Mobile systems and Internet infrastructure. In many cases, it is difficult to detect worm attacks at an early stage. There is typically little or no time to develop a well-constructed solution during such a worm outbreak. This is because the worms act only to spread from node to node and they bring security concerns to everyone using Internet via any static or mobile node. No system is safe from an aggressive worm crisis. However, many of the characteristics of a worm can be used to defeat it, including its predictable behavior and shared signatures. In this paper, we propose an efficient signature generation method based on string similarity algorithms to generate signatures for Zero-day polymorphic worms. Then, these signatures are practically applied to an Intrusion Detection System (IDS) to prevent the network from such attacks. The experimental results show the efficiency of the proposed approach compared to other existing mechanisms

An Efficient Signature-Based Approach for Automatic Detection of Internet Worms over Large-Scale Networks

科研費報告書収録論文(課題番号:18300017/研究代表者:根元義章/通信データ列特徴量の類似性に基づいた不正アクセス逆探知方式)68

A Tiered Approach to Detect Metamorphic Malware With Hidden Markov Models

Work on the use of hidden Markov models (HMM) to detect viruses has been carried out previously with good results [2], but metamorphic viruses like MetaPHOR [27] and metamorphic worms like MWOR [3] have proven to be able to evade detection techniques based on HMMs. The dueling HMM approach looks to detect such viruses by training an HMM model for each of the metamorphic virus / worm families. The tests and the results from these have shown that this approach has been able to detect the metamorphic MetaPHOR virus with reasonable accuracy but with significantly more overhead. This paper presents a tiered approach that improves on this by achieving the same results as the dueling approach but with significant performance improvement in terms of time. Essentially the idea is to eliminate most putative malware with the threshold approach, reserving the dueling HMM analysis for more difficult cases. We achieve accurate results with significantly less performance overhead than the dueling HMM strategy. Furthermore, our approach successfully detects MWOR worms with a high degree of accuracy

CAREER: adaptive intrusion detection systems

Issued as final reportNational Science Foundation (U.S.