Article

Polygraph: Automatically Generating Signatures for Polymorphic Worms

Authors:

James Newsome,

Brad Karp,

Dawn SongAuthors Info & Claims

SP '05: Proceedings of the 2005 IEEE Symposium on Security and Privacy

Pages 226 - 241

https://doi.org/10.1109/SP.2005.15

Published: 08 May 2005 Publication History

Publisher Site

Abstract

It is widely believed that content-signature-based intrusion detection systems (IDSes) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives.

Cited By

View all

Seo HYoon MCalandrino JTroncoso C(2023)Generative intrusion detection and prevention on data streamProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620479(4319-4335)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620479
Dong YLi QWu KLi RZhao DTyson GPeng JJiang YXia SXu MCalandrino JTroncoso C(2023)HorusEyeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620270(571-588)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620270
Du MHu WHewlett WDemartini GZuccon GCulpepper JHuang ZTong H(2021)AutoComboProceedings of the 30th ACM International Conference on Information & Knowledge Management10.1145/3459637.3481896(3777-3786)Online publication date: 26-Oct-2021
https://dl.acm.org/doi/10.1145/3459637.3481896
Show More Cited By

Index Terms

Polygraph: Automatically Generating Signatures for Polymorphic Worms
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

TrueWatch: Polygraph Examination With Smartwatches
The traditional polygraph instrument is used worldwide for lie detection tests. It is currently used broadly in the civil sector, terrorism investigations, and criminal cases. In this paper, we introduce a novel concept of conducting lie detection tests ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Polygraph: system for dynamic reduction of false alerts in large-scale it service delivery environments
USENIXATC'11: Proceedings of the 2011 USENIX conference on USENIX annual technical conference

In order to avoid critical SLA violations, service providers use monitoring technology to automate the identification of relevant events in the performance of managed components and forward them as incident tickets to be resolved by system ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SP '05: Proceedings of the 2005 IEEE Symposium on Security and Privacy

May 2005

244 pages

ISBN:0769523390

Publisher

IEEE Computer Society

United States

Publication History

Published: 08 May 2005

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

171
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Seo HYoon MCalandrino JTroncoso C(2023)Generative intrusion detection and prevention on data streamProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620479(4319-4335)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620479
Dong YLi QWu KLi RZhao DTyson GPeng JJiang YXia SXu MCalandrino JTroncoso C(2023)HorusEyeProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620270(571-588)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620270
Du MHu WHewlett WDemartini GZuccon GCulpepper JHuang ZTong H(2021)AutoComboProceedings of the 30th ACM International Conference on Information & Knowledge Management10.1145/3459637.3481896(3777-3786)Online publication date: 26-Oct-2021
https://dl.acm.org/doi/10.1145/3459637.3481896
Haq ICaballero J(2021)A Survey of Binary Code SimilarityACM Computing Surveys10.1145/344637154:3(1-38)Online publication date: 17-Apr-2021
https://dl.acm.org/doi/10.1145/3446371
Raff EZak RLopez Munoz GFleming WAnderson HFilar BNicholas CHolt JLigatti JOu XAfroz SCarlini NDemontis A(2020)Automatic Yara Rule Generation Using BiclusteringProceedings of the 13th ACM Workshop on Artificial Intelligence and Security10.1145/3411508.3421372(71-82)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3411508.3421372
Doll CSykosch AOhm MMeier M(2019)Automated Pattern Inference Based on Repeatedly Observed Malware ArtifactsProceedings of the 14th International Conference on Availability, Reliability and Security10.1145/3339252.3340510(1-10)Online publication date: 26-Aug-2019
https://dl.acm.org/doi/10.1145/3339252.3340510
Afek YBremler-Barr AFeibish S(2019)Zero-Day Signature Extraction for High-Volume AttacksIEEE/ACM Transactions on Networking10.1109/TNET.2019.289912427:2(691-706)Online publication date: 1-Apr-2019
https://dl.acm.org/doi/10.1109/TNET.2019.2899124
Jones JHiser JDavidson JForrest SLitoiu MClarke STei K(2019)Defeating denial-of-service attacks in a self-managing N-variant systemProceedings of the 14th International Symposium on Software Engineering for Adaptive and Self-Managing Systems10.1109/SEAMS.2019.00024(126-138)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/SEAMS.2019.00024
Sykosch AOhm MMeier M(2018)Hunting Observable Objects for Indication of CompromiseProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3233282(1-8)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3233282
Cao YYu AAday AStahl EMerwine JYang JKim JAhn GKim SKim YLopez JKim T(2018)Efficient Repair of Polluted Machine Learning Systems via Causal UnlearningProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196517(735-747)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196517
Show More Cited By

Abstract

Cited By

Index Terms

Recommendations

TrueWatch: Polygraph Examination With Smartwatches

WormTerminator: an effective containment of unknown and polymorphic fast spreading worms

Polygraph: system for dynamic reduction of false alerts in large-scale it service delivery environments

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations