Automatic Extraction Model Based Cfg Polymorphic Worm Characteristics

Study is sponsored by National Natural Science Foundation project of China "Study of Network Camouflaging Cooperative Security Model" with grant number 60503008.With the popularity of network applications, network worms become the focus of attention, how to detect worms and how to prevent its spreading and destruction has became a research hotspot.The traditional worms detection technology is on the premise that the code does not change in propagation, but in fact worm has used encryption,instruction replacement and other Metamorphism technology to change their instruction flow and structure during propagation and keeping the same function, which makes traditional detection method for the same worm maybe generate a number of different signatures or base on the known signature can not detect variation of the worm, while the ideal polymorphic has been totally feasible in theory, when the ideal polymorphic appears without any public part during the Varieties, so that the traditional detection methods will be completely ineffective.The thesis based on the premise that instruction architecture of polymorphism worms will not change,we consider instruction sequence, instruction normalized technology and structural of worm's binary code together to design a automatically signature generating model for polymorphic worms which based on CFG (Control Flow Graph), by extracting common sub-structure CFGs of control flow graph of different polymorphic variants, to achieve the purpose of detecting polymorphic worms. We use similarity matching detection algorithm. Finally, the effectiveness of the automatically signature generating model and algorithm is tested and evaluated by several experiments.The major work includes:(1) By analyzing distinction between polymorphic worm and traditional virus, the structure function of polymorphic worm, propagation processes and all kinds of Metamorphism techniques, we abandon the previous signature generation technique based on packet content and establish to extract the structural features of the polymorphic worm binary code. Finally, we design a signature based on structure of binary code for the worm:CFG+instruction sequence features.(2)We use instruction normalized technology during signature generation, which can eliminate the mutation in CFG structure, instruction flow and other aspect, so that polymorphic worm samples showed more similarities, and the signature will be more scientific and accurate. (3)On the basis of the Jaccard similarity detection algorithm, according to the two structure's own characteristics, we make some changes to design a similarity detection algorithm which is used to measure the similarity between the signature and the sample, so that we can judge whether it is the worm traffic.(4)A prototype system that can automatically generate signature for polymorphic worms and detect worm variants using the similarity algorithm is implemented. Experimental results show the validity of the model and algorithm.