1. Profiling Self-Propagating Worms via Behavioral Footprinting Xuxian Jiang, Dongyan Xu ACM WORM’06 November 3, 2006

2. 2 Characteristic of a Worm’s Attack A worm’s successful infection session usually contains sequences of steps. –e.g., target selection and probing, exploitation, and replication The logic in a worm’s implementation is different from that of the service or software being exploited by the worm. In a worm’s infection, each worm has its specific attack procedures trying to compromise the victim. –The worm’s payload often has invariant bytes –Each worm exhibits its “personalities” in terms of the target vulnerability, exploitation means, replication scheme, and payload features.

3. 3 Problem To effectively defend against self-propagating worms, a critical task is to create a complete, multi-facet profile for each worm, that can be used to identify worms. A well established dimension of worm profiling is content-based fingerprinting which characterizes a worm by extracting the most representative content sequences. But this approach does not capture a worm’s temporal infection behavior

4. 4 Behavioral Footprint Extraction: Given two infection traces F 1 = x 1 x 2 · · · x n and F2 = y 1 y 2 · · · y m, our algorithm is to find an optimal alignment (i.e., max substring) between them.

5. 5 Evaluations Behavioral footprinting characterizes worm infection steps and their order in every worm infection session.