1 / 22

POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms

POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms. Authors : James Newsome, Brad Karp, Dawn Song PUBLICATION : IEEE Security and Privacy Symposium, May 2005 CLASS PRESENTATION BY : Anvita Priyam. POLYGRAPH. Intrusion Detection Systems(IDS)

chiara
Download Presentation

POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome, Brad Karp, Dawn Song PUBLICATION: IEEE Security and Privacy Symposium, May 2005 CLASS PRESENTATION BY: Anvita Priyam

  2. POLYGRAPH • Intrusion Detection Systems(IDS) > Monitor networking traffic for suspicious activity > Alert the system or administrator > May block user or source IP • Signature based IDS > monitors packets on the n/w & compares them against database of signatures > lag in case of a new threat

  3. POLYGRAPH • Currently Used Techniques By IDS > string matching at arbitrary payload offsets > string matching at fixed payload offsets > matching of regular expressions within a flow’s payload

  4. POLYGRAPH • Polymorphic Worm > changes its appearance with every instance > byte sequences of worm instances vary > code remains the same • Mechanism > encrypt the code with a random key > generate a short decryptor(PD) > PD and the key keep changing

  5. POLYGRAPH • Motivation for automating signatures > earlier, signatures were generated manually > slow paced

  6. POLYGRAPH • Polygraph comes into picture > signatures consist of multiple disjoint content substring > substrings: protocol framing, return addresses, poorly obfuscated code > often present in all variants of a payload PS: It does not consider single substring signature

  7. POLYGRAPH • Underlying Assumption > possible to generate signatures automatically that match the many variants of PW > offer low false positives and low false negatives • BASIS > share invariant content as they exploit same vulnerability

  8. POLYGRAPH • Sources of Invariant Content > Exploit Framing( e.g., reserved keywords, binary constants that are part of wire protocol) > Exploit Payload

  9. POLYGRAPH • Signature Classes for PW > Conjunction Signatures > Token Subsequence Signature > Bayes Signature

  10. POLYGRAPH • Conjunction Signatures > signature consists of a set of tokens > all the tokens must match > order of matching is not particular

  11. POLYGRAPH • Token-subsequence Signatures > consists of ordered set of tokens > identical ordering is required for a match > can be easily expressed as regular expressions > more specific compared to conjunction signature

  12. POLYGRAPH • Bayes Signature > associated with a score and an overall threshold > instead of exact matching it provides probabilistic matching > construction and matching is less rigid

  13. POLYGRAPH • ARCHITECTURE Suspicious Flow Pool PSG Flow classifier N/W tap Innocuous Flow Pool Signature Evaluator

  14. POLYGRAPH • Design Goals > Signature quality > Efficient signature generation > Efficient signature matching > Generation of small signature sets > Robustness against noise and multiple worms > Robustness against evasion and subversion

  15. POLYGRAPH • Signature Generation Algorithms > Pre-processing: Token extraction > first step to eliminate irrelevant parts > extract all distinct substrings of min length > Generating single signatures > for conjunction signature just use token extraction, signature is this set of tokens > for token subsequence signature find a subsequence of tokens that is present in sample. Iteratively apply string alignment

  16. POLYGRAPH • Signature Generation Algo( cont’d) > for bayes signature > choose set of tokens > calculate empirical probability of occurrence > each token is then assigned a score > if greater than threshold classified as worm

  17. POLYGRAPH • Generating Multiple Signatures > Bayes signature remains unmodified > Token subsequence and conjunction algos require clustering

  18. POLYGRAPH • Experimental Results > Single Polymorphic worm > Apache-Knacker Exploit > Conjunction signatures( .0024% False+,0% False-) > Token-subsequence(.0008% False+,0% False-) > Bayes signatures(.008% False+,0% False-) > BIND-TSIG Exploit > Conjunction signatures(0% False+ & False-) > Token-Subsequence(0% False+ & False-) > Bayes Signatures(.0023% False+,0% False-)

  19. POLYGRAPH • Experimental Results (cont’d) > Single polymorphic worm & noise > conjunction & token subsequence signatures remain the same > Bayes signatures are not affected by noise until it grows beyond 80% > Multiple polymorphic worms & noise > conjunction & token subsequence signatures are generated for each type of worm. > only one bayes signature is generated that matches all the worms.

  20. POLYGRAPH • CONCLUSION > content based filtering holds great promise for tackling PW > Polygraph automatically derives signatures for PW > It generates high quality signatures even in the presence of multiple flows and noise > rumors of demise of content based filtering is exaggerated

  21. POLYGRAPH • WEAKNESS > very little insight into how PWs function > payload invariance assumptions are naïve > no clear reference to situational applications of signature generation algorithms

  22. POLYGRAPH • SUGGESTIONS > should be more informative on initial topics > a wider range of studies required

More Related