More Web Proxy on the site http://driver.im/

Article

Polymorphic worm detection using structural information of executables

Authors:

Christopher Kruegel,

William Robertson,

Giovanni VignaAuthors Info & Claims

RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Pages 207 - 226

https://doi.org/10.1007/11663812_11

Published: 07 September 2005 Publication History

Abstract

Network worms are malicious programs that spread automatically across networks by exploiting vulnerabilities that affect a large number of hosts. Because of the speed at which worms spread to large computer populations, countermeasures based on human reaction time are not feasible. Therefore, recent research has focused on devising new techniques to detect and contain network worms without the need of human supervision. In particular, a number of approaches have been proposed to automatically derive signatures to detect network worms by analyzing a number of worm-related network streams. Most of these techniques, however, assume that the worm code does not change during the infection process. Unfortunately, worms can be polymorphic. That is, they can mutate as they spread across the network. To detect these types of worms, it is necessary to devise new techniques that are able to identify similarities between different mutations of a worm.

This paper presents a novel technique based on the structural analysis of binary code that allows one to identify structural similarities between different worm mutations. The approach is based on the analysis of a worm's control flow graph and introduces an original graph coloring technique that supports a more precise characterization of the worm's structure. The technique has been used as a basis to implement a worm detection system that is resilient to many of the mechanisms used to evade approaches based on instruction sequences only.

References

[1]

L. Babai annd E. Luks. Canonical Labeling of Graphs. In 15th ACM Symposium on Theory of Computing, 1983.

Digital Library

[2]

M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Network and Distributed Systems Symposium (NDSS), 2005.

[3]

V. Berk, R. Gray, and G. Bakos. Using Sensor Networks and Data Fusion for Early Detection. In SPIE Aerosense Conference, 2003.

[4]

D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levin, and Henry O. Honey-Stat: Local Worm Detection Using Honeypots. In 7th International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.

[5]

T. DeTristan, T. Ulenspiegel, Y. Malcom, and M. von Underduk. Polymorphic Shellcode Engine Using Spectrum Analysis. http://www.phrack.org/ show.php?p=61&a=9.

[6]

H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In 13th Usenix Security Symposium, 2004.

Digital Library

[7]

O. Kolesnikov and W. Lee. Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic. Technical report, Georgia Tech, 2004.

[8]

C. Kreibich and J. Crowcroft. Honeycomb - Creating Intrusion Detection Signatures Using Honeypots. In 2nd Workshop on Hot Topics in Networks, 2003.

[9]

C. Kruegel, F. Valeur, W. Robertson, and G. Vigna. Static Analysis of Obfuscated Binaries. In 13th Usenix Security Symposium, 2004.

Digital Library

[10]

C. Linn and S. Debray. Obfuscation of Executable Code to Improve Resistance to Static Disassembly. In ACM Conference on Computer and Communications Security (CCS), 2003.

Digital Library

[11]

S. Macaulay. ADMmutate: Polymorphic Shellcode Engine. http://www.ktwo.ca/ ttsecurity.html.

[12]

B. McKay. Nauty: No AUTomorphisms, Yes? http://cs.anu.edu.au~bdm/ nauty/.

[13]

B. McKay. Practical graph isomorphism. Congressus Numerantium, 30, 1981.

[14]

D. Moore, C. Shannon, G. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. In IEEE Infocom Conference, 2003.

[15]

J. Newsome, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In IEEE Symposium on Security and Privacy, 2005.

Digital Library

[16]

V. Paxson. Bro: A System for Detecting Network Intruders in Real-Time. In 7th Usenix Security Symposium, 1998.

Digital Library

[17]

M. O. Rabin. Fingerprinting by Random Polynomials. Technical report, Center for Research in Computing Techonology, Harvard University, 1981.

[18]

M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Usenix LISA Conference, 1999.

Digital Library

[19]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. In 6th Symposium on Operating System Design and Implementation (OSDI), 2004.

Digital Library

[20]

S. Skiena. Implementing Discrete Mathematics: Combinatorics and Graph Theory, chapter Graph Isomorphism. Addison-Wesley, 1990.

[21]

Sophos. War of the Worms: Top 10 list of worst virus outbreaks in 2004. http://www.sophos.com/pressoffice/pressrel/uk/20041208yeartopten.html.

[22]

S. Staniford, D. Moore, V. Paxson, and N. Weaver. The Top Speed of Flash Worms. In 2nd ACM Workshop on Rapid Malcode (WORM), 2004.

Digital Library

[23]

S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In 11th Usenix Security Symposium, 2002.

Digital Library

[24]

S. Venkataraman, D. Song, P. Gibbons, and A. Blum. New Streaming Algorithms for Fast Detection of Superspreaders. In Network and Distributed Systems Symposium (NDSS), 2005.

[25]

N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A Taxonomy of Computer Worms. In ACM Workshop on Rapid Malcode, October 2003.

Digital Library

[26]

N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms. In 13th Usenix Security Symposium, 2004.

Digital Library

[27]

D. Whyte, E. Kranakis, and P. van Oorschot. DNS-based Detection of Scanning Worms in an Enterprise Network. In Network and Distributed Systems Symposium (NDSS), 2005.

[28]

M. Williamson. Throttling Viruses: Restricting Propagation to Defeat Malicious Mobile Code. In 18th Annual Computer Security Applications Conference (ACSAC), 2002.

Digital Library

Cited By

Onieva JPérez Jiménez PLópez J(2024)Malware similarity and a new fuzzy hashComputers and Security10.1016/j.cose.2024.103856142:COnline publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103856
Benoit TMarion JBardin SChandra SBlincoe KTonella P(2023)Scalable Program Clone Search through Spectral AnalysisProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616279(808-820)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616279
Ismail MLin YHan DGao D(2023)BinAlign: Alignment Padding Based Compiler Provenance RecoveryInformation Security and Privacy10.1007/978-3-031-35486-1_26(609-629)Online publication date: 5-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-35486-1_26
Show More Cited By

Recommendations

A behavioral approach to worm detection
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

This paper presents a new approach to the automatic detection of worms using behavioral signatures. A behavioral signature describes aspects of any particular worm's behavior that are common across the manifestations of a given worm and that span its ...
Signature metrics for accurate and automated worm detection
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload ...
Polymorphic Worm Detection Using Double-Honeynet
ICSEA '09: Proceedings of the 2009 Fourth International Conference on Software Engineering Advances

Internet worms are increasing every year, and they increasingly threaten the availability and integrity of Internet-based services. Polymorphic worms evade signature-based Intrusion Detection Systems (IDSs) by varying their payload on every infection ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

RAID'05: Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

September 2005

351 pages

ISBN:3540317783

Editors:
Alfonso Valdes
SRI International, 333 Ravenswood Ave., Menlo Park, CA
,
Diego Zamboni
IBM Research Laboratory, Säumerstr. 4, Rüschlikon, CA, Switzerland

Sponsors

University of Idaho: University of Idaho
Conjungi Security Technologies: Conjungi Security Technologies
The Boeing Company: The Boeing Company
Pacific Northwest National Laboratory

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 07 September 2005

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

91
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 16 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Onieva JPérez Jiménez PLópez J(2024)Malware similarity and a new fuzzy hashComputers and Security10.1016/j.cose.2024.103856142:COnline publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1016/j.cose.2024.103856
Benoit TMarion JBardin SChandra SBlincoe KTonella P(2023)Scalable Program Clone Search through Spectral AnalysisProceedings of the 31st ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3611643.3616279(808-820)Online publication date: 30-Nov-2023
https://dl.acm.org/doi/10.1145/3611643.3616279
Ismail MLin YHan DGao D(2023)BinAlign: Alignment Padding Based Compiler Provenance RecoveryInformation Security and Privacy10.1007/978-3-031-35486-1_26(609-629)Online publication date: 5-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-35486-1_26
D’Onghia MSalvadore MNespoli BCarminati MPolino MZanero S(2022)ApículaComputers and Security10.1016/j.cose.2022.102775119:COnline publication date: 1-Aug-2022
https://dl.acm.org/doi/10.1016/j.cose.2022.102775
Xu XZheng QYan ZFan MJia ALiu T(2021)Interpretation-enabled Software Reuse Detection Based on a Multi-Level Birthmark ModelProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00084(873-884)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00084
Ji YCui LHuang H(2021)Vestige: Identifying Binary Code Provenance for Vulnerability DetectionApplied Cryptography and Network Security10.1007/978-3-030-78375-4_12(287-310)Online publication date: 21-Jun-2021
https://dl.acm.org/doi/10.1007/978-3-030-78375-4_12
Tofighi-Shirazi RChristofi MElbaz-Vincent PLe TMcDonald JBardin SStakhanova N(2018)DoSEProceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop10.1145/3289239.3289243(1-12)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3289239.3289243
Alrabaee SShirani PWang LDebbabi M(2018)FOSSILACM Transactions on Privacy and Security10.1145/317549221:2(1-34)Online publication date: 31-Jan-2018
https://dl.acm.org/doi/10.1145/3175492
Chandramohan MXue YXu ZLiu YCho CTan HZimmermann TCleland-Huang JSu Z(2016)BinGo: cross-architecture cross-OS binary searchProceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering10.1145/2950290.2950350(678-689)Online publication date: 1-Nov-2016
https://dl.acm.org/doi/10.1145/2950290.2950350
Ding SFung BCharland PKrishnapuram BShah MSmola AAggarwal CShen DRastogi R(2016)Kam1n0Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining10.1145/2939672.2939719(461-470)Online publication date: 13-Aug-2016
https://dl.acm.org/doi/10.1145/2939672.2939719
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents