Security and Privacy in Communication Networks. 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings

Research Article

SAS: Semantics Aware Signature Generation for Polymorphic Worm Detection

Download344 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-16161-2_1,
        author={Deguang Kong and Yoon-Chan Jhi and Tao Gong and Sencun Zhu and Peng Liu and Hongsheng Xi},
        title={SAS: Semantics Aware Signature Generation for Polymorphic Worm Detection},
        proceedings={Security and Privacy in Communication Networks. 6th Iternational ICST Conference, SecureComm 2010, Singapore, September 7-9, 2010. Proceedings},
        proceedings_a={SECURECOMM},
        year={2012},
        month={5},
        keywords={Worm Signature Generation Machine Learning Semantics Data Flow Analysis Hidden Markov Model},
        doi={10.1007/978-3-642-16161-2_1}
    }
    
  • Deguang Kong
    Yoon-Chan Jhi
    Tao Gong
    Sencun Zhu
    Peng Liu
    Hongsheng Xi
    Year: 2012
    SAS: Semantics Aware Signature Generation for Polymorphic Worm Detection
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-16161-2_1
Deguang Kong,*, Yoon-Chan Jhi1,*, Tao Gong2,*, Sencun Zhu1,*, Peng Liu1,*, Hongsheng Xi2,*
  • 1: Pennsylvania State University
  • 2: University of Science & Technology of China
*Contact email: kdg@mail.ustc.edu.cn, jhi@cse.psu.edu, jiangt@mail.ustc.edu.cn, szhu@cse.psu.edu, pliu@ist.psu.edu, xihs@ustc.edu.cn

Abstract

String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains challenging. For example, attackers can freely manipulate byte distributions within the attack payloads and also can inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel SASalgorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a Hidden Markov Model (HMM) to the refined data to generate state-transition-graph based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks comparing to Polygraph and Hamsa.