SISG: self‐immune automated signature generation for polymorphic worms
-
-
[1] University of Electronic Science and Technology of China
University of Electronic Science and Technology of China
China
-
- Localización: Compel: International journal for computation and mathematics in electrical and electronic engineering, ISSN 0332-1649, Vol. 29, Nº 2 (Special Issue: Selected papers from CAC 2008), 2010, págs. 445-467
- Idioma: inglés
- Enlaces
-
Resumen
Purpose – The purpose of this paper is to propose a self‐immune automated signature generation (SISG) for polymorphic worms which is able to work well, even while being attacked by any types of malicious adversary and produces global‐suited signatures other than local‐suited signatures for its distributed architecture. Through experimentations, the method is thereafter evaluated.
Design/methodology/approach – The ideal worm signature exist in each copy of the corresponding worm, but never in other worm categories and normal network traffic. SISG compares each worm copy and extract the same components, then produces the worm signature from the components which must achieve low‐false positive and low‐false negative. SISG is immune from the most attacks by filtering the harmful noise made by malicious adversaries before signature generation.
Findings – NOP sled, worm body and descriptor are not good to be signature because they can be confused intricately by polymorphic engines. Protocol frames may not suit to be signature for the anti‐automated signature generation attacks. Exploit bytes is the essential part of an ideal worm signature and it can be extracted by SISG exactly.
Originality/value – The paper proposes a SISG for polymorphic worms which is able to work well even while being attacked by any types of malicious adversary and produces global‐suited signatures other than local‐suited signatures for its distributed architecture.
