| In order to prevent worms from propagating rapidly, it is essential to generate worm signatures quickly and accurately. However, in most cases, defense against worm attacks can only be done reactively after the damage has already happened. Due to the fact that worms are able to spread substantially faster than human can respond, most of attention of recent researchers is concentrated on automating the process of worm signature generation. However polymorphic worm signature generation systems can not generate correct worm signature because of appearance of many attacks against these systems.Based on the research of worm polymorphic and metamorphic technology, polymorphic worm signature and signature automatic gen-eration algorithms are study deeply. The main original works and inno-vations include:Most of recent worm signatures are constructed based on worm bytes themselves. They can be used to detect one pattern of worms suc-cessfully, but are not appropriate when treating on polymorphic worms since these worms can change their patterns dynamically. A class of neighborhood-relation signatures (NRS) is proposed based on neighborhood relationship between worm bytes. Experiment results show that NRS can exhibit characteristics of polymorphic worm and be used to detect polymorphic worm efficiently.Most of polymorphic worm signature generation approaches can not solve noise problem well. An apprach based on color coding is pre-sented to solve the problem of generating polymorphic worm signature in environments with noise. Firstly, an algorithm CCSF based on string matching is presented. CCSF divides n sequences into m groups. It gen-erates signatures for each group by adopting color coding and filters them. Then all reserved signatures are clustered to get rid of redundant substrings. Experiment results show CCSF can generate worm signature without any fragment in environments with noise, and it can be used in IDS (Intrusion Detection System) to detect polymorphic worm. More-over, to generate NRS in noisy environments we present an algorithm CGNRS. We have carried out extensive experiments to compare signa-tures generated CGNRS with signatures generated by existing ap-proaches. The experiment results show CGNRS are superior to others no matter whether the suspicious flow pool contains noise sequences.A signature generation algorithm based on random strategy, SGARS, is proposed. SGARS applies random strategy, and then color coding is used in the process of solving noise disturbance to improve algorithm running efficiency. Extensive experiments are carried out to demonstrate the correctness of our approach, in comparison with signa-tures generated by existing approaches. The experiment results show that our approach can generate polymorphic signature more quickly when the suspicious flow pool contains noise sequences.In this paper, an approach based on seed-extending is proposed to generate polymorphic worm signature from suspicious flow pool, which includes several kind of worm sequences and noise sequences. SESG is consists of four subalgorithms:Note Weighting, Selecting Seed, Ex-tending Cluster and Signature Generation. We run experiments to com-pare SESG with other approaches. Experiment results show that SESG can classify worm sequences and noise sequences from suspicious flow pool over other existed approaches, which can generate effective worm signature more easily.A model based on natural biological feeding and breeding rules is proposed to characterize the propagation of polymorphic worms with the permutation-scanning. Influence of worm propagation is evaluated when signature basd on string matching and NRS are used detect worms. The model analyzes the number of different type of worms in the propaga-tion process, and the impact of various parameters on the propagation when there is IDS or not IDS in the environment. |
PDF Full Text Request