Thwarting Zero-Day Polymorphic Worms With Network-Level Length-Based Signature Generation
作者: Lanjia Wang , Zhichun Li , Yan Chen , Zhi Fu , Xing Li
DOI: 10.1109/TNET.2009.2020431
关键词:
摘要: It is crucial to detect zero-day polymorphic worms and generate signatures at network gateways or honeynets so that we can prevent from propagating their early phase. However, most existing network-based are specific exploit be easily evaded. In this paper, propose generating vulnerability-driven level without any host-level analysis of worm execution vulnerable programs. As the first step, design a length-based signature generator (LESG) for exploiting buffer overflow vulnerabilities. The generated intrinsic overflows, very difficult attackers evade. We further prove attack resilience bounds even under worst-case attacks with deliberate noise injection. Moreover, LESG fast noise-tolerant has efficient matching. Evaluation based on real-world vulnerabilities various protocols real traffic demonstrates promising in achieving these goals.
acm.org
sci-hub.se 参考文章(42)
Philip K. Chan, Rachna Vargiya, Boundary detection in tokenizing network application payload for anomaly detection ,(2003)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Xuxian Jiang, Dongyan Xu, Zhiqiang Lin, Xiangyu Zhang, Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution. network and distributed system security symposium. ,(2008)
Vern Paxson, Stuart Staniford, Nicholas Weaver, How to Own the Internet in Your Spare Time usenix security symposium. pp. 149- 167 ,(2002)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Vinod Yegneswaran, Paul Barford, Dave Plonka, On the Design and Use of Internet Sinks for Network Abuse Monitoring recent advances in intrusion detection. pp. 146- 165 ,(2004) , 10.1007/978-3-540-30143-1_8
Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, David Watson, None, The Internet Motion Sensor - A Distributed Blackhole Monitoring System. network and distributed system security symposium. ,(2005)
Ke Wang, Gabriela Cretu, Salvatore J. Stolfo, Anomalous Payload-Based Worm Detection and Signature Generation Lecture Notes in Computer Science. pp. 227- 246 ,(2006) , 10.1007/11663812_12
James Newsome, Brad Karp, Dawn Song, Paragraph: Thwarting Signature Learning by Training Maliciously Lecture Notes in Computer Science. pp. 81- 105 ,(2006) , 10.1007/11856214_5
Fu-Hau Hsu, Tzi-cker Chiueh, CTCP: a transparent centralized TCP/IP architecture for network security annual computer security applications conference. pp. 335- 344 ,(2004) , 10.1109/CSAC.2004.14