Research Article
SAS: Semantics Aware Signature Generation for Polymorphic Worm Detection
@INPROCEEDINGS{10.1007/978-3-642-16161-2_1, author={Deguang Kong and Yoon-Chan Jhi and Tao Gong and Sencun Zhu and Peng Liu and Hongsheng Xi}, title={SAS: Semantics Aware Signature Generation for Polymorphic Worm Detection}, proceedings={Security and Privacy in Communication Networks. 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings}, proceedings_a={SECURECOMM}, year={2012}, month={5}, keywords={Worm Signature Generation Machine Learning Semantics Data Flow Analysis Hidden Markov Model}, doi={10.1007/978-3-642-16161-2_1} }
- Deguang Kong
Yoon-Chan Jhi
Tao Gong
Sencun Zhu
Peng Liu
Hongsheng Xi
Year: 2012
SAS: Semantics Aware Signature Generation for Polymorphic Worm Detection
SECURECOMM
Springer
DOI: 10.1007/978-3-642-16161-2_1
Abstract
String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains challenging. For example, attackers can freely manipulate byte distributions within the attack payloads and also can inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel SASalgorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a Hidden Markov Model (HMM) to the refined data to generate state-transition-graph based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks comparing to Polygraph and Hamsa.