an automated signature-based approach against polymorphic internet worms yong tang; shigang chen;...
TRANSCRIPT
![Page 1: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/1.jpg)
An Automated Signature-Based Approach against
Polymorphic Internet WormsYong Tang; Shigang Chen;IEEE Transactions on Parallel and Distributed Systems, Vol. 18, No. 7, July 2007
1
Reporter: Luo Sheng-Yuan 2009/04/09
![Page 2: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/2.jpg)
Outline
•Introduction
•Related Work
•Proposed Scheme
•Experiments Result
•Conclusion
2
![Page 3: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/3.jpg)
Introduction
•Worms represent a major threat to the Internet.
•Polymorphism techniques that a worm may use to evade detection by the current defense systems.
•Position-Aware Distribution Signature (PADS)
•Compute PADS from a set of polymorphic worm samples.
3
![Page 4: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/4.jpg)
Related Work
•Signature-based▫Longest Common Substrings
4
Payload 1
Payload 2
![Page 5: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/5.jpg)
Related Work
•Anomaly-based▫Byte Frequency Distribution
5
![Page 6: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/6.jpg)
Related Work
•Polymorphism Techniques▫Self-encryption▫Garbage-code Insertion▫Instruction-substitution▫Code-transposition▫Register-reassignment
6
![Page 7: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/7.jpg)
Related Work
•Variants of a polymorphic worm
7
![Page 8: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/8.jpg)
Proposed Scheme
•Position-Aware Distribution Signature (PADS)
8
![Page 9: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/9.jpg)
Proposed Scheme
•Payload Matching against PADS
9
Payload Significant
Region
![Page 10: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/10.jpg)
Proposed Scheme
•Compute PADS from captured worm samples▫Expectation-Maximization Algorithm
10
Sample 1
Sample 2
Sample n
Significant Region
![Page 11: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/11.jpg)
Proposed Scheme
•Compute PADS from captured worm samples▫Gibbs Sampling Algorithm
11
Sample 1
Sample 2
Sample n
![Page 12: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/12.jpg)
Experiments Result
•False Positives and False Negatives
12
![Page 13: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/13.jpg)
Experiments Result
•Convergence of EM and Gibbs
13
![Page 14: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/14.jpg)
Experiments Result
•Matching Time
14
![Page 15: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/15.jpg)
Conclusion
•We propose iterative algorithms to calculate the signature from captured worm samples.
•Extensively experiments are performed on four worms to validate the proposed signature and its algorithms.
15
![Page 16: An Automated Signature-Based Approach against Polymorphic Internet Worms Yong Tang; Shigang Chen; IEEE Transactions on Parallel and Distributed Systems,](https://reader036.vdocuments.site/reader036/viewer/2022062519/5697bfca1a28abf838ca95a9/html5/thumbnails/16.jpg)
Comment
•Matching Time is bigger than traditional approaches.
•Artificially generate the variants of these worms based on some polymorphism techniques, but not including Self-encryption, Code-transposition, and Register-reassignment.
•Maybe, the iterative algorithms can replace by Genetic Algorithm.
16