An Automated Signature Generation Approach for

Polymorphic Worm Based on Color Coding

Jie Wang; Jianxin Wang; Jianer Chen; Xi Zhang;IEEE International Conference on Communications, 2009. ICC '09.

1

Reporter: Luo Sheng-Yuan 2009/11/12

Outline

•Introduction

•Related Work

•Proposed Scheme

•Experiments Result

•Conclusion

2

Introduction

•Previous approaches can generate signature for worm without noise disturbance, but they all have trouble in generating worm signature with noise.

3

Related Work

•Polygraph’s Scheme▫Token Signature

4

Related Work

•Polygraph’s Scheme▫Token-subsequence Signature

consists of ordered list of tokens

▫Conjunction Signature consists of an unordered set of tokens

▫Bayes Signature consists of a set of tokens, each token is

associated with a score

5

Proposed Scheme

•Color Coding▫5 items, 4 colors▫There must be 2 items with same color.

6

Proposed Scheme

•CCSF(Color Coding Signature Finding)▫Divides n sequences into m groups and

each group contains 20 sequences.

7

………………………………

Suspicious Pool

(n sequence)

20

20

20

20

Proposed Scheme

•CCSF▫Color Coding

8

Proposed Scheme

•CCFS▫Extracts Common Substrings(Tokens)

9

Sequence 1

1 scan 2 scan

H e l l o W o r l dSequence

2H e l l o h W o r l d r u

Sequence k

H e l l o t W o r l d h

Experiments Result

•Signature generation with some noise sequences.

Correct Signature

10

Experiments Result

•Signature generation with some noise sequences.

Accurate Signature

11

Conclusion

•CCSF is able to generate signatures automatically for polymorphic worms in the environments with noise.

•In this paper, only one worm type of a suspicious flow pool is considered in CCSF.

12