Modern worms can spread so quickly that any countermea-sure based on human reaction might not be fast enough. Recent research has focused on devising algorithms to automatically produce signature for polymorphic worms, required by Intrusion Detection Systems. However, polymorphic worms are more complex than non-mutating ones as they also require the identification of mutated instances. To this end, we propose LISABETH, our improved version of Hamsa, an automated content-based signature generation system for polymorphic worms that uses invariant bytes analysis of network traffic content. We show an unknown attack to Hamsa's signature generator that is contrasted by LISABETH. Moreover, we show that our approach is able to generally improve the resilience to poisoning attacks as supported by our experiments with synthetic polymorphic worms. Copyright 2008 ACM.
LISABETH: automated content-based signature generator for zero-day polymorphic worms / L. Cavallaro, A. Lanzi, L. Mayer, M. Monga - In: SESS '08: Proceedings of the fourth international workshop on Software engineering for secure systemsNew York : ACM, 2008. - ISBN 978-1-60558-042-5. - pp. 41-48 (( Intervento presentato al 4. convegno SESS tenutosi a Lipsia, Germania nel 2008 [10.1145/1370905.1370911].
LISABETH: automated content-based signature generator for zero-day polymorphic worms
L. CavallaroPrimo
;A. LanziSecondo
;M. MongaUltimo
2008
Abstract
Modern worms can spread so quickly that any countermea-sure based on human reaction might not be fast enough. Recent research has focused on devising algorithms to automatically produce signature for polymorphic worms, required by Intrusion Detection Systems. However, polymorphic worms are more complex than non-mutating ones as they also require the identification of mutated instances. To this end, we propose LISABETH, our improved version of Hamsa, an automated content-based signature generation system for polymorphic worms that uses invariant bytes analysis of network traffic content. We show an unknown attack to Hamsa's signature generator that is contrasted by LISABETH. Moreover, we show that our approach is able to generally improve the resilience to poisoning attacks as supported by our experiments with synthetic polymorphic worms. Copyright 2008 ACM.
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
