POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome, Brad Karp, Dawn Song PUBLICATION: IEEE Security and Privacy Symposium, May 2005 CLASS PRESENTATION BY: Anvita Priyam

Intrusion Detection Systems(IDS) POLYGRAPH Intrusion Detection Systems(IDS) > Monitor networking traffic for suspicious activity > Alert the system or administrator > May block user or source IP Signature based IDS > monitors packets on the n/w & compares them against database of signatures > lag in case of a new threat

Currently Used Techniques By IDS POLYGRAPH Currently Used Techniques By IDS > string matching at arbitrary payload offsets > string matching at fixed payload offsets > matching of regular expressions within a flow’s payload

> changes its appearance with every instance POLYGRAPH Polymorphic Worm > changes its appearance with every instance > byte sequences of worm instances vary > code remains the same Mechanism > encrypt the code with a random key > generate a short decryptor(PD) > PD and the key keep changing

Motivation for automating signatures POLYGRAPH Motivation for automating signatures > earlier, signatures were generated manually > slow paced

Polygraph comes into picture > signatures consist of multiple disjoint content substring > substrings: protocol framing, return addresses, poorly obfuscated code > often present in all variants of a payload PS: It does not consider single substring signature

Underlying Assumption POLYGRAPH Underlying Assumption > possible to generate signatures automatically that match the many variants of PW > offer low false positives and low false negatives BASIS > share invariant content as they exploit same vulnerability

Sources of Invariant Content POLYGRAPH Sources of Invariant Content > Exploit Framing( e.g., reserved keywords, binary constants that are part of wire protocol) > Exploit Payload

Signature Classes for PW > Conjunction Signatures POLYGRAPH Signature Classes for PW > Conjunction Signatures > Token Subsequence Signature > Bayes Signature

Conjunction Signatures > signature consists of a set of tokens POLYGRAPH Conjunction Signatures > signature consists of a set of tokens > all the tokens must match > order of matching is not particular

Token-subsequence Signatures > consists of ordered set of tokens POLYGRAPH Token-subsequence Signatures > consists of ordered set of tokens > identical ordering is required for a match > can be easily expressed as regular expressions > more specific compared to conjunction signature

Bayes Signature > associated with a score and an overall threshold POLYGRAPH Bayes Signature > associated with a score and an overall threshold > instead of exact matching it provides probabilistic matching > construction and matching is less rigid

ARCHITECTURE POLYGRAPH Suspicious Flow Pool Flow N/W PSG classifier tap Innocuous Flow Pool Signature Evaluator

> Signature quality POLYGRAPH Design Goals > Signature quality > Efficient signature generation > Efficient signature matching > Generation of small signature sets > Robustness against noise and multiple worms > Robustness against evasion and subversion

Signature Generation Algorithms POLYGRAPH Signature Generation Algorithms > Pre-processing: Token extraction > first step to eliminate irrelevant parts > extract all distinct substrings of min length > Generating single signatures > for conjunction signature just use token extraction, signature is this set of tokens > for token subsequence signature find a subsequence of tokens that is present in sample. Iteratively apply string alignment

Signature Generation Algo( cont’d) > for bayes signature POLYGRAPH Signature Generation Algo( cont’d) > for bayes signature > choose set of tokens > calculate empirical probability of occurrence > each token is then assigned a score > if greater than threshold classified as worm

Generating Multiple Signatures > Bayes signature remains unmodified POLYGRAPH Generating Multiple Signatures > Bayes signature remains unmodified > Token subsequence and conjunction algos require clustering

Experimental Results > Single Polymorphic worm POLYGRAPH Experimental Results > Single Polymorphic worm > Apache-Knacker Exploit > Conjunction signatures( .0024% False+,0% False-) > Token-subsequence(.0008% False+,0% False-) > Bayes signatures(.008% False+,0% False-) > BIND-TSIG Exploit > Conjunction signatures(0% False+ & False-) > Token-Subsequence(0% False+ & False-) > Bayes Signatures(.0023% False+,0% False-)

Experimental Results (cont’d) POLYGRAPH Experimental Results (cont’d) > Single polymorphic worm & noise > conjunction & token subsequence signatures remain the same > Bayes signatures are not affected by noise until it grows beyond 80% > Multiple polymorphic worms & noise > conjunction & token subsequence signatures are generated for each type of worm. > only one bayes signature is generated that matches all the worms.

> content based filtering holds great promise for POLYGRAPH CONCLUSION > content based filtering holds great promise for tackling PW > Polygraph automatically derives signatures for PW > It generates high quality signatures even in the presence of multiple flows and noise > rumors of demise of content based filtering is exaggerated

> very little insight into how PWs function POLYGRAPH WEAKNESS > very little insight into how PWs function > payload invariance assumptions are naïve > no clear reference to situational applications of signature generation algorithms

> should be more informative on initial topics POLYGRAPH SUGGESTIONS > should be more informative on initial topics > a wider range of studies required