Modern worms can spread so quickly that any countermea-sure based on human reaction might not be fast enough. Recent research has focused on devising algorithms to automatically produce signature for polymorphic worms, required by Intrusion Detection Systems. However, polymorphic worms are more complex than non-mutating ones as they also require the identification of mutated instances. To this end, we propose LISABETH, our improved version of Hamsa, an automated content-based signature generation system for polymorphic worms that uses invariant bytes analysis of network traffic content. We show an unknown attack to Hamsa's signature generator that is contrasted by LISABETH. Moreover, we show that our approach is able to generally improve the resilience to poisoning attacks as supported by our experiments with synthetic polymorphic worms. Copyright 2008 ACM.
|Titolo:||LISABETH: automated content-based signature generator for zero-day polymorphic worms|
|Autori interni:||MONGA, MATTIA (Ultimo)|
CAVALLARO, LORENZO (Primo)
LANZI, ANDREA (Secondo)
|Settore Scientifico Disciplinare:||Settore INF/01 - Informatica|
|Data di pubblicazione:||2008|
|Enti collegati al convegno:||ACM|
|Digital Object Identifier (DOI):||10.1145/1370905.1370911|
|Tipologia:||Book Part (author)|
|Appare nelle tipologie:||03 - Contributo in volume|
File in questo prodotto:
- PubMed Central loading...