Thwarting Zero-Day Polymorphic Worms With Network-Level Length-Based Signature Generation

Abstract

<para xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> It is crucial to detect zero-day polymorphic worms and to generate signatures at network gateways or honeynets so that we can prevent worms from propagating at their early phase. However, most existing network-based signatures are specific to exploit and can be easily evaded. In this paper, we propose generating vulnerability-driven signatures at network level without any host-level analysis of worm execution or vulnerable programs. As the first step, we design a network-based length-based signature generator (LESG) for the worms exploiting buffer overflow vulnerabilities<footnoteref refid="fnote1"/><footnote asterisk="no" id="fnote1"> <footnotepara>It is reported that more than 75% of vulnerabilities are based on bufferoverflow <citerefgrp><citeref refid="ref1"/></citerefgrp>.</footnotepara> </footnote>. The signatures generated are intrinsic to buffer overflows, and are very difficult for attackers to evade. We further prove the attack resilience bounds even under worst-case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching. Evaluation based on real-world vulnerabilities of various protocols and real network traffic demonstrates that LESG is promising in achieving these goals. </para>