• DocumentCode
    1994541
  • Title

    Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms

  • Author

    Li, Zhichun ; Lanjia Wang ; Chen, Yan ; Zhi Fu

  • Author_Institution
    Northwestern Univ., Evanston
  • fYear
    2007
  • fDate
    16-19 Oct. 2007
  • Firstpage
    164
  • Lastpage
    173
  • Abstract
    It is crucial to detect zero-day polymorphic worms and to generate signatures at the edge network gateways or honeynets so that we can prevent the worms from propagating at their early phase. However, most existing network-based signatures generated are not vulnerability-based and can be easily evaded by attacks. In this paper, we propose generating vulnerability-based signatures on the network level without any host-level analysis of worm execution or vulnerable programs. As the first step, we design a network-based length-based signature generator (LESG) for worms based on buffer overflow vulnerabilities´. The signatures generated are intrinsic to buffer overflows, and are very hard for attackers to evade. We further prove the attack resilience bounds even under worst case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching. Evaluation based on real-world vulnerabilities of various protocols and real network traffic demonstrates that LESG is promising in achieving these goals.
  • Keywords
    invasive software; telecommunication security; attack-resilient length signature generation zero-day polymorphic worm detection; buffer overflow; network-based length-based signature generator; vulnerability-based signature; Binary codes; Buffer overflow; Character generation; Computer worms; Internet; Intrusion detection; Phase detection; Protocols; Resilience; Telecommunication traffic;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Network Protocols, 2007. ICNP 2007. IEEE International Conference on
  • Conference_Location
    Beijing
  • Print_ISBN
    978-1-4244-1588-5
  • Electronic_ISBN
    978-1-4244-1588-5
  • Type

    conf

  • DOI
    10.1109/ICNP.2007.4375847
  • Filename
    4375847