Abstract
It is widely believed that content-signature-based intrusion detection systems (IDS) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives.
Highlights
Introduction and MotivationEnabled by ever-more pervasive Internet connectivity, an increasing variety of exploitable vulnerabilities in software, and a lack of diversity in the software running on Internetattached hosts, Internet worms increasingly threaten the availability and integrity of Internet-based services.Toward defending against Internet worms, the research community has proposed and built intrusion detection systems (IDSes) [20, 21]
To detect and/or block Internet worm flows, IDSes use signatures that match bytes from a worm’s payload, using matching techniques including string matching at arbitrary payload offsets [20, 21]; string matching at fixed payload offsets [21]; and even matching of regular expressions within a flow’s payload [20]
The growing consensus in the security community is that polymorphic worms portend the death of content-based worm quarantine—that no sensitive and specific signatures may exist for worms that vary their content significantly on every infection
Summary
Introduction and MotivationEnabled by ever-more pervasive Internet connectivity, an increasing variety of exploitable vulnerabilities in software, and a lack of diversity in the software running on Internetattached hosts, Internet worms increasingly threaten the availability and integrity of Internet-based services.Toward defending against Internet worms (and other attacks), the research community has proposed and built intrusion detection systems (IDSes) [20, 21]. A network administrator deploys an IDS at the gateway between his edge network and the Internet, or on an individual end host. The IDS searches inbound traffic for known patterns, or signatures, that correspond to malicious traffic. When such malicious traffic is found, the IDS may raise an alarm; block future traffic from the offending source address; or even block the remainder of the offending flow’s traffic. To detect and/or block Internet worm flows, IDSes use signatures that match bytes from a worm’s payload, using matching techniques including string matching at arbitrary payload offsets [20, 21]; string matching at fixed payload offsets [21]; and even matching of regular expressions within a flow’s payload [20]
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
