基于彩色编码的多态蠕虫特征自动提取方法

快速而准确地提取蠕虫特征对于有效防御多态蠕虫的传播至关重要,但是目前的特征产生方法在噪音干扰下无法产生正确的蠕虫特征.提出基于彩色编码的特征自动提取算法CCSF(color coding signature finding)来解决有噪音干扰情况下的多态蠕虫特征提取问题.CCSF算法将可疑池中的n条序列分成m组,然后运用彩色编码对每组序列进行特征提取.通过对每组提取出来的特征集合进行过滤筛选,最终产生正确的蠕虫特征.采用多类蠕虫对CCSF算法进行测试,并与其他蠕虫特征提取方法进行比较,结果表明,CCSF算法能够在有噪音干扰的条件下准确地提取出多态蠕虫的特征,该特征不包含碎片,易于应用到IDS(intrusion detection system)中对多态蠕虫进行检测.     

一种改进的多态蠕虫特征提取算法

大多数多态蠕虫特征提取方法不能很好地处理噪音,提取出的蠕虫特征无法对多态蠕虫进行有效检测。为此,提出一种改进的多态蠕虫特征提取算法。采用Gibbs算法从包含n条序列(包括k条蠕虫序列)的可疑流量池中提取出蠕虫特征,在识别蠕虫序列的过程中基于color coding技术提高算法的运行效率。仿真实验结果表明,该算法能够减少时间和空间开销,即使可疑池中存在噪音,也能有效地提取多态蠕虫。     

基于改进蚁群算法的多态蠕虫特征提取

多态蠕虫特征提取是基于特征的入侵检测的难点,快速提取出精确程度更高的多态蠕虫特征对于有效防范蠕虫的快速传播有着重要的作用。针对层次式的多序列匹配(HMSA)算法进行多序列比对的时间效率较低和由迭代方法提取出的特征不够精确等问题,提出了基于改进蚁群算法的多态蠕虫特征提取方法antMSA。该方法首先对蚁群的搜索策略进行了相应的改进,并将改进后的蚁群算法引入到奖励相邻匹配的全局联配(CMENW)算法中,利用蚁群算法快速收敛能力,在全局范围内快速生成较好解,提取出多态蠕虫的特征片段;然后将其转化为标准入侵检测系统(IDS)规则,用于后期防御。实验表明,改进后的蚁群算法能够较好地克服基本蚁群算法的停滞现象,扩大搜索空间,能够有效提高特征提取的效率和质量,降低误报率。     

基于蠕虫攻击模型和语义分析的特征码自动提取

传统手工提取蠕虫的特征串需要很长时间,而基于串模式分析自动提取的虚警率和漏警率始终不太理想.该文提出了一种基于蠕虫攻击模型的语义分析特征提取法.该方法基于蠕虫攻击模型先验知识,自动识别蠕虫代码各个功能部分,将蠕虫攻击的必用部分作为蠕虫的特征串,提出了蠕虫攻击的通用模型OSJUMP.基于该模型,证明了基于语义提取蠕虫特征的有效性,给出了一种基于语义的蠕虫特征自动提取算法.对Red Code等各种实际蠕虫进行测试,结果显示自动提取生成的蠕虫特征值和安全厂商手工分析提供的特征值具有很大的可比性.     

多态蠕虫产生器的设计与实现

为了更好地研究和防御多态蠕虫,在研究多态变形技术的基础上,针对基于缓冲区溢出漏洞进行传播的蠕虫,设计了多态蠕虫产生器。以SQL Slammer蠕虫和ATPhttpd蠕虫作为实例介绍产生器的工作过程。从产生器的设计过程和实例分析可以看出,通过多态处理的蠕虫依旧具有相同字符串序列特征,可以依据这些字符串序列对多态蠕虫进行有效防御。最后对产生器的功能进行测试。测试结果表明,该产生器能够对程序进行有效的多态处理,为多态蠕虫防御和特征自动提取等研究工作提供有效的实验数据。     

Polymorphic蠕虫特征自动提取算法及检测技术研究

入侵检测系统检测蠕虫攻击的关键在于蠕虫特征是否准确,随着蠕虫Polymorphic技术的不断发展,如何快速有效地提取Polymorphic蠕虫特征,是入侵检测中特征提取领域的一个重要的研究方向。采用基于模式的特征提取算法,通过对多个可疑Polymorphic蠕虫流量进行序列比对,自动提取它们的最长公共子序列,结果用两种形式的向量表示;并采用相似度度量的检测方法,利用已提取的特征向量,判别新到来的Polymorphic蠕虫流量所属的类别,从误报率和漏报率方面验证了特征提取算法的有效性以及相似度度量检测方法的有效性。     

蠕虫病毒特征码自动提取原理与设计

目前网络入侵检测系统(NIDS)主要利用特征码检测法来监测与阻止网络蠕虫,而蠕虫特征码提取仍是效率低的人工过程。为解决这个问题提出了基于陷阱网络的蠕虫特征码自动提取思想,介绍了原型系统的体系结构和主要算法。该系统利用数据包负载中出现频率高的字符串来提取蠕虫特征码。最后通过实验结果分析算法主要参数对系统的影响。     

基于NLA的Polymorphic蠕虫特征自动提取算法研究

随着Polymorphic蠕虫变形技术的不断发展,如何快速有效地提取其特征是入侵检测中特征提取领域的一个重要研究方向。采用基于模式的特征提取算法NLA(Normalized Local Alignment),通过对多个可疑Polymorphic蠕虫流量进行序列比对,自动提取高相似度公共子序列,以向量的形式构造蠕虫特征。实验结果表明该算法在误报率和漏报率方面均优于传统算法。     

改进的蠕虫特征自动提取模型及算法设计

文章提出了一种基于序列比对的蠕虫特征自动提取模型,该模型针对现有蠕虫特征自动提取系统的可疑蠕虫样本流量单来源和粗预处理等问题,提出了对网络边界可疑流量和蜜罐捕获网络流量统一的聚类预处理,并使用改进的T-Coffee多序列比对算法进行蠕虫特征提取。实验分别对Apache-Knacker和TSIG这两种蠕虫病毒进行特征提取,从实验结果可以看出文章提出的模型产生的特征质量优于比较流行的Polygraph、Hamsa两种技术。     

基于AOI方法的未知蠕虫特征自动发现算法研究

近年来频繁爆发的大规模网络蠕虫对Internet的整体安全构成了巨大的威胁，新的变种仍在不断出现。由于无法事先得到未知蠕虫的特征，传统的基于特征的入侵检测机制已经失效。目前蠕虫监测的一般做法是在侦测到网络异常后由人工捕获并进行特征的分析，再将特征加入高速检测引擎进行监测。本文提出了一种新的基于面向属性归纳（AOI）方法的未知蠕虫特征自动提取方法。该算法在可疑蠕虫源定位的基础上进行频繁特征的自动提取，能够在爆发的早期检测到蠕虫的特征，进而通过控制台特征关联监测未知蠕虫的发展趋势。实验证明该方法是可行而且有效的。     

An Automated Signature-Based Approach against Polymorphic Internet Worms

Capable of infecting hundreds of thousands of hosts, worms represent a major threat to the Internet. However, the defense against them is still an open problem. This paper attempts to answer an important question: How can we distinguish polymorphic worms from normal background traffic? We propose a new worm signature, called the position-aware distribution signature (PADS), which fills the gap between traditional signatures and anomaly-based intrusion detection systems. The new signature is a collection of position-aware byte frequency distributions. It is more flexible than the traditional signatures of fixed strings while it is more precise than the position-unaware statistical signatures. We propose two algorithms based on expectation-maximization (EM) and Gibbs sampling to efficiently compute PADS from a set of polymorphic worm samples. We also discuss how to separate a mixture of different polymorphic worms such that their respective PADS signatures can be calculated. We perform extensive experiments to demonstrate the effectiveness of PADS in separating new worm variants from normal background traffic.     

Investigations of automatic methods for detecting the polymorphic worms signatures

This paper investigates the current automatics methods used to generate efficient and accurate signatures to create countermeasures against attacks by polymorphic worms. These strategies include autograph, polygraph and Simplified Regular Expression (SRE). They rely on network-based signature detection and filtering content network traffic, as the signature generated by these methods can be read by Intrusion Prevention systems and firewalls. In this paper, we also present the architecture and evaluation of each method, and the implementation used as patterns by SRE mechanism to extract accurate signatures. Such implementation was accomplished through use of the Needleman–Wunsch algorithm, which was inadequate to manage the invariant parts and distances restrictions of the polymorphic worm. Consequently, an Enhanced Contiguous Substring Rewarded (ECSR) algorithm is developed to improve the result extraction from the Needleman–Wunsch algorithm and generate accurate signatures. The signature generation by SRE is found to be more accurate and efficient as it preserves all the important features of polymorphic worms. The evaluation results show that the signature contains conjunctions of tokens, or token subsequence can produce a loss of vital information such as ignoring one byte token or neglecting the restriction distances. Furthermore, the Simplified Regular Expression needs to be updated and accurate when compared with autograph and polygraph methods.     

Graph based signature classes for detecting polymorphic worms via content analysis

Malicious softwares such as trojans, viruses, or worms can cause serious damage for information systems by exploiting operating system and application software vulnerabilities. Worms constitute a significant proportion of overall malicious software and infect a large number of systems in very short periods. Polymorphic worms combine polymorphism techniques with self-replicating and fast-spreading characteristics of worms. Each copy of a polymorphic worm has a different pattern so it is not effective to use simple signature matching techniques. In this work, we propose a graph based classification framework of content based polymorphic worm signatures. This framework aims to guide researchers to propose new polymorphic worm signature schemes. We also propose a new polymorphic worm signature scheme, Conjunction of Combinational Motifs (CCM), based on the defined framework. CCM utilizes common substrings of polymorphic worm copies and also the relation between those substrings through dependency analysis. CCM is resilient to new versions of a polymorphic worm. CCM also automatically generates signatures for new versions of a polymorphic worm, triggered by partial signature matches. Experimental results support that CCM has good flow evaluation time performance with low false positives and low false negatives.     

ERES: an extended regular expression signature for polymorphic worm detection

Journal of Computer Virology and Hacking Techniques - The quick spreading of modern sophisticated polymorphic worms poses a serious threat to the internet security. So far, several signature...     

面向蠕虫自动特征产生系统的设计与实现

计算机以及网络的的迅速发展在带给人类方便的同时,也为恶意代码的传播提供了良好的条件。一种具有传播速度快,破坏力大和高智能性等特点的恶意代码一蠕虫,已引起人们的广泛重视。由于蠕虫传播速度极快,安全厂商很难迅速获得检测相应蠕虫的恶意代码的特征,而特征的迟后获得可能会给用户带来很大的潜在危害,因此,本文从协议分析的角度提出了一种特征的自动生成方法,并将产生的特征用来检测蠕虫,取得了良好的效果,并在此基础上用实例探测的方法进一步提高了准确性（降低了漏报与误报）。     

未知蠕虫自动检测技术研究

现有蠕虫检测系统的误报率较高。为此,提出未知蠕虫自动检测技术。利用多维蠕虫异常检测方法发现未知蠕虫,使用跳跃式多特征串提取方法得到未知蠕虫的特征串集合,并生成相应的特征检测规则,实现未知蠕虫的自动检测。实验结果证明,该技术能够成功发现新型蠕虫,具有较高的蠕虫检测率和较低的误报率。     

WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation

Fast and accurate generation of worm signatures is essential to contain zero-day worms at the Internet scale. Recent work has shown that signature generation can be automated by analyzing the repetition of worm substrings (that is, fingerprints) and their address dispersion. However, at the early stage of a worm outbreak, individual edge networks are often short of enough worm exploits for generating accurate signatures. This paper presents both theoretical and experimental results on a collaborative worm signature generation system (WormShield) that employs distributed fingerprint filtering and aggregation over multiple edge networks. By analyzing real-life Internet traces, we discovered that fingerprints in background traffic exhibit a Zipf-like distribution. Due to this property, a distributed fingerprint filtering reduces the amount of aggregation traffic significantly. WormShield monitors utilize a new distributed aggregation tree (DAT) to compute global fingerprint statistics in a scalable and load-balanced fashion. We simulated a spectrum of scanning worms including CodeRed and Slammer by using realistic Internet configurations of about 100,000 edge networks. On average, 256 collaborative monitors generate the signature of CodeRedl-v2 135 times faster than using the same number of isolated monitors. In addition to speed gains, we observed less than 100 false signatures out of 18.7-Gbyte Internet traces, yielding a very low false-positive rate. Each monitor only generates about 0.6 kilobit per second of aggregation traffic, which is 0.003 percent of the 18 megabits per second link traffic sniffed. These results demonstrate that the WormShield system offers distinct advantages in speed gains, signature accuracy, and scalability for large-scale worm containment.