An Automated Signature Generation Approach for Polymorphic Worm Based on Color Coding

1. An Automated Signature Generation Approach for Polymorphic Worm Based on Color Coding Jie Wang; Jianxin Wang; Jianer Chen; Xi Zhang; IEEE International Conference on Communications, 2009. ICC '09. Reporter: Luo Sheng-Yuan 2009/11/12

2. Outline • Introduction • Related Work • Proposed Scheme • Experiments Result • Conclusion

3. Introduction • Previous approaches can generate signature for worm without noise disturbance, but they all have trouble in generating worm signature with noise.

4. Related Work • Polygraph’s Scheme • Token Signature

5. Related Work • Polygraph’s Scheme • Token-subsequence Signature • consists of ordered list of tokens • Conjunction Signature • consists of an unordered set of tokens • Bayes Signature • consists of a set of tokens, each token is associated with a score

6. Proposed Scheme • Color Coding • 5 items, 4 colors • There must be 2 items with same color.

7. Proposed Scheme • CCSF(Color Coding Signature Finding) • Divides n sequences into m groups and each group contains 20 sequences. Suspicious Pool (n sequence) ……………………………… 20 20 20 20

8. Proposed Scheme • CCSF • Color Coding

9. Proposed Scheme • CCFS • Extracts Common Substrings(Tokens) Sequence1 H e l l o W o r l d Sequence2 H e l l o h W o r l d r u 1 scan 2 scan Sequencek H e l l o t W o r l d h

10. Experiments Result • Signature generation with some noise sequences. • Correct Signature

11. Experiments Result • Signature generation with some noise sequences. • Accurate Signature

12. Conclusion • CCSF is able to generate signatures automatically for polymorphic worms in the environments with noise. • In this paper, only one worm type of a suspicious flow pool is considered in CCSF.