Generating simplified regular expression signatures for polymorphic worms
作者: Yong Tang , Xicheng Lu , Bin Xiao
DOI: 10.1007/978-3-540-73547-2_49
关键词:
摘要: It is crucial to automatically generate accurate and effective signatures defense against polymorphic worms. Previous work using conjunctions of tokens or token subsequence could lose some important information, like ignoring 1 byte neglecting the distances in sequential tokens. In this paper we propose Simplified Regular Expression (SRE) signature, present its signature generation method based on multiple sequence alignment algorithm. The algorithm extended from pairwise algorithm, which encourages contiguous substring extraction able support wildcard string preserve distance invariant content segment generated SRE signatures. Thus, can express information for worms, turn makes even extracted worms become valuable. Experiments several types show that, compared with by current network-based systems (NSGs), are more precise match
springer.com
sci-hub.se 参考文章(18)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, Automated worm fingerprinting operating systems design and implementation. pp. 4- 4 ,(2004)
XiaoFeng Wang, Zhuowei Li, Jun Xu, Michael K. Reiter, Chongkyung Kil, Jong Youl Choi, Packet vaccine Proceedings of the 13th ACM conference on Computer and communications security - CCS '06. pp. 37- 46 ,(2006) , 10.1145/1180405.1180412
Richard Lippmann, Joshua W Haines, David J Fried, Jonathan Korba, Kumar Das, The 1999 DARPA off-line intrusion detection evaluation recent advances in intrusion detection. ,vol. 34, pp. 579- 595 ,(2000) , 10.1016/S1389-1286(00)00139-0
Robin Sommer, Vern Paxson, Enhancing byte-level network intrusion detection signatures with context computer and communications security. pp. 262- 271 ,(2003) , 10.1145/948109.948145
Walter B. Goad, Minoru I. Kanehisa, Pattern recognition in nucleic acid sequences. I. A general method for finding local homologies and symmetries Nucleic Acids Research. ,vol. 10, pp. 247- 263 ,(1982) , 10.1093/NAR/10.1.247
Christian Kreibich, Jon Crowcroft, Honeycomb: creating intrusion detection signatures using honeypots acm special interest group on data communication. ,vol. 34, pp. 51- 56 ,(2004) , 10.1145/972374.972384
Saul B. Needleman, Christian D. Wunsch, A general method applicable to the search for similarities in the amino acid sequence of two proteins Journal of Molecular Biology. ,vol. 48, pp. 443- 453 ,(1970) , 10.1016/0022-2836(70)90057-4
Sailesh Kumar, Sarang Dharmapurikar, Fang Yu, Patrick Crowley, Jonathan Turner, Algorithms to accelerate multiple regular expressions matching for deep packet inspection acm special interest group on data communication. ,vol. 36, pp. 339- 350 ,(2006) , 10.1145/1151659.1159952
Jedidiah R Crandall, Zhendong Su, S Felix Wu, Frederic T Chong, On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits Proceedings of the 12th ACM conference on Computer and communications security - CCS '05. pp. 235- 248 ,(2005) , 10.1145/1102120.1102152