POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms - PowerPoint PPT Presentation

polygraph automatically generating signatures for polymorphic worms n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms PowerPoint Presentation
Download Presentation
POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms

play fullscreen
1 / 22
POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms
154 Views
Download Presentation
chiara
Download Presentation

POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome, Brad Karp, Dawn Song PUBLICATION: IEEE Security and Privacy Symposium, May 2005 CLASS PRESENTATION BY: Anvita Priyam

  2. POLYGRAPH • Intrusion Detection Systems(IDS) > Monitor networking traffic for suspicious activity > Alert the system or administrator > May block user or source IP • Signature based IDS > monitors packets on the n/w & compares them against database of signatures > lag in case of a new threat

  3. POLYGRAPH • Currently Used Techniques By IDS > string matching at arbitrary payload offsets > string matching at fixed payload offsets > matching of regular expressions within a flow’s payload

  4. POLYGRAPH • Polymorphic Worm > changes its appearance with every instance > byte sequences of worm instances vary > code remains the same • Mechanism > encrypt the code with a random key > generate a short decryptor(PD) > PD and the key keep changing

  5. POLYGRAPH • Motivation for automating signatures > earlier, signatures were generated manually > slow paced

  6. POLYGRAPH • Polygraph comes into picture > signatures consist of multiple disjoint content substring > substrings: protocol framing, return addresses, poorly obfuscated code > often present in all variants of a payload PS: It does not consider single substring signature

  7. POLYGRAPH • Underlying Assumption > possible to generate signatures automatically that match the many variants of PW > offer low false positives and low false negatives • BASIS > share invariant content as they exploit same vulnerability

  8. POLYGRAPH • Sources of Invariant Content > Exploit Framing( e.g., reserved keywords, binary constants that are part of wire protocol) > Exploit Payload

  9. POLYGRAPH • Signature Classes for PW > Conjunction Signatures > Token Subsequence Signature > Bayes Signature

  10. POLYGRAPH • Conjunction Signatures > signature consists of a set of tokens > all the tokens must match > order of matching is not particular

  11. POLYGRAPH • Token-subsequence Signatures > consists of ordered set of tokens > identical ordering is required for a match > can be easily expressed as regular expressions > more specific compared to conjunction signature

  12. POLYGRAPH • Bayes Signature > associated with a score and an overall threshold > instead of exact matching it provides probabilistic matching > construction and matching is less rigid

  13. POLYGRAPH • ARCHITECTURE Suspicious Flow Pool PSG Flow classifier N/W tap Innocuous Flow Pool Signature Evaluator

  14. POLYGRAPH • Design Goals > Signature quality > Efficient signature generation > Efficient signature matching > Generation of small signature sets > Robustness against noise and multiple worms > Robustness against evasion and subversion

  15. POLYGRAPH • Signature Generation Algorithms > Pre-processing: Token extraction > first step to eliminate irrelevant parts > extract all distinct substrings of min length > Generating single signatures > for conjunction signature just use token extraction, signature is this set of tokens > for token subsequence signature find a subsequence of tokens that is present in sample. Iteratively apply string alignment

  16. POLYGRAPH • Signature Generation Algo( cont’d) > for bayes signature > choose set of tokens > calculate empirical probability of occurrence > each token is then assigned a score > if greater than threshold classified as worm

  17. POLYGRAPH • Generating Multiple Signatures > Bayes signature remains unmodified > Token subsequence and conjunction algos require clustering

  18. POLYGRAPH • Experimental Results > Single Polymorphic worm > Apache-Knacker Exploit > Conjunction signatures( .0024% False+,0% False-) > Token-subsequence(.0008% False+,0% False-) > Bayes signatures(.008% False+,0% False-) > BIND-TSIG Exploit > Conjunction signatures(0% False+ & False-) > Token-Subsequence(0% False+ & False-) > Bayes Signatures(.0023% False+,0% False-)

  19. POLYGRAPH • Experimental Results (cont’d) > Single polymorphic worm & noise > conjunction & token subsequence signatures remain the same > Bayes signatures are not affected by noise until it grows beyond 80% > Multiple polymorphic worms & noise > conjunction & token subsequence signatures are generated for each type of worm. > only one bayes signature is generated that matches all the worms.

  20. POLYGRAPH • CONCLUSION > content based filtering holds great promise for tackling PW > Polygraph automatically derives signatures for PW > It generates high quality signatures even in the presence of multiple flows and noise > rumors of demise of content based filtering is exaggerated

  21. POLYGRAPH • WEAKNESS > very little insight into how PWs function > payload invariance assumptions are naïve > no clear reference to situational applications of signature generation algorithms

  22. POLYGRAPH • SUGGESTIONS > should be more informative on initial topics > a wider range of studies required