Download presentation
Presentation is loading. Please wait.
Published byMerryl Small Modified over 6 years ago
1
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Authors: James Newsome, Brad Karp, Dawn Song PUBLICATION: IEEE Security and Privacy Symposium, May 2005 CLASS PRESENTATION BY: Anvita Priyam
2
Intrusion Detection Systems(IDS)
POLYGRAPH Intrusion Detection Systems(IDS) > Monitor networking traffic for suspicious activity > Alert the system or administrator > May block user or source IP Signature based IDS > monitors packets on the n/w & compares them against database of signatures > lag in case of a new threat
3
Currently Used Techniques By IDS
POLYGRAPH Currently Used Techniques By IDS > string matching at arbitrary payload offsets > string matching at fixed payload offsets > matching of regular expressions within a flow’s payload
4
> changes its appearance with every instance
POLYGRAPH Polymorphic Worm > changes its appearance with every instance > byte sequences of worm instances vary > code remains the same Mechanism > encrypt the code with a random key > generate a short decryptor(PD) > PD and the key keep changing
5
Motivation for automating signatures
POLYGRAPH Motivation for automating signatures > earlier, signatures were generated manually > slow paced
6
Polygraph comes into picture
> signatures consist of multiple disjoint content substring > substrings: protocol framing, return addresses, poorly obfuscated code > often present in all variants of a payload PS: It does not consider single substring signature
7
Underlying Assumption
POLYGRAPH Underlying Assumption > possible to generate signatures automatically that match the many variants of PW > offer low false positives and low false negatives BASIS > share invariant content as they exploit same vulnerability
8
Sources of Invariant Content
POLYGRAPH Sources of Invariant Content > Exploit Framing( e.g., reserved keywords, binary constants that are part of wire protocol) > Exploit Payload
9
Signature Classes for PW > Conjunction Signatures
POLYGRAPH Signature Classes for PW > Conjunction Signatures > Token Subsequence Signature > Bayes Signature
10
Conjunction Signatures > signature consists of a set of tokens
POLYGRAPH Conjunction Signatures > signature consists of a set of tokens > all the tokens must match > order of matching is not particular
11
Token-subsequence Signatures > consists of ordered set of tokens
POLYGRAPH Token-subsequence Signatures > consists of ordered set of tokens > identical ordering is required for a match > can be easily expressed as regular expressions > more specific compared to conjunction signature
12
Bayes Signature > associated with a score and an overall threshold
POLYGRAPH Bayes Signature > associated with a score and an overall threshold > instead of exact matching it provides probabilistic matching > construction and matching is less rigid
13
ARCHITECTURE POLYGRAPH Suspicious Flow Pool Flow N/W PSG classifier
tap Innocuous Flow Pool Signature Evaluator
14
> Signature quality
POLYGRAPH Design Goals > Signature quality > Efficient signature generation > Efficient signature matching > Generation of small signature sets > Robustness against noise and multiple worms > Robustness against evasion and subversion
15
Signature Generation Algorithms
POLYGRAPH Signature Generation Algorithms > Pre-processing: Token extraction > first step to eliminate irrelevant parts > extract all distinct substrings of min length > Generating single signatures > for conjunction signature just use token extraction, signature is this set of tokens > for token subsequence signature find a subsequence of tokens that is present in sample. Iteratively apply string alignment
16
Signature Generation Algo( cont’d) > for bayes signature
POLYGRAPH Signature Generation Algo( cont’d) > for bayes signature > choose set of tokens > calculate empirical probability of occurrence > each token is then assigned a score > if greater than threshold classified as worm
17
Generating Multiple Signatures > Bayes signature remains unmodified
POLYGRAPH Generating Multiple Signatures > Bayes signature remains unmodified > Token subsequence and conjunction algos require clustering
18
Experimental Results > Single Polymorphic worm
POLYGRAPH Experimental Results > Single Polymorphic worm > Apache-Knacker Exploit > Conjunction signatures( .0024% False+,0% False-) > Token-subsequence(.0008% False+,0% False-) > Bayes signatures(.008% False+,0% False-) > BIND-TSIG Exploit > Conjunction signatures(0% False+ & False-) > Token-Subsequence(0% False+ & False-) > Bayes Signatures(.0023% False+,0% False-)
19
Experimental Results (cont’d)
POLYGRAPH Experimental Results (cont’d) > Single polymorphic worm & noise > conjunction & token subsequence signatures remain the same > Bayes signatures are not affected by noise until it grows beyond 80% > Multiple polymorphic worms & noise > conjunction & token subsequence signatures are generated for each type of worm. > only one bayes signature is generated that matches all the worms.
20
> content based filtering holds great promise for
POLYGRAPH CONCLUSION > content based filtering holds great promise for tackling PW > Polygraph automatically derives signatures for PW > It generates high quality signatures even in the presence of multiple flows and noise > rumors of demise of content based filtering is exaggerated
21
> very little insight into how PWs function
POLYGRAPH WEAKNESS > very little insight into how PWs function > payload invariance assumptions are naïve > no clear reference to situational applications of signature generation algorithms
22
> should be more informative on initial topics
POLYGRAPH SUGGESTIONS > should be more informative on initial topics > a wider range of studies required
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.