TY - GEN
T1 - Differencing worm flows and normal flows for automatic generation of worm signatures
AU - Simkhada, Kumar
AU - Tsunoda, Hiroshi
AU - Waizumi, Yuji
AU - Nemoto, Yoshiaki
PY - 2005/12/1
Y1 - 2005/12/1
N2 - Internet worms pose a serious threat to networks. Most current Intrusion Detection Systems (IDSs) take signature matching approach to detect worms. Given the fact that most signatures are developed manually, generating new signatures for each variant of a worm incurs significant overhead. In this paper, we propose a difference-based scheme which differences worm flows and normal flows to generate robust worm signatures. The proposed scheme is based on two observational facts - worm flows contain several invariant portions in their payloads, and core worm codes do not exist in normal flows. It uses samples of worm flows detected by available means to extract common tokens. It then differences the set of these tokens with those of normal flows and generates signature candidates. By using such signatures within enterprises, out of reach of worm writers, the possibility of being tricked by worm writers can be reduced. We evaluate the proposed scheme using real network traffic traces that contains worms. Experiment results show that the proposed scheme exhibits high detection rate with low false positives.
AB - Internet worms pose a serious threat to networks. Most current Intrusion Detection Systems (IDSs) take signature matching approach to detect worms. Given the fact that most signatures are developed manually, generating new signatures for each variant of a worm incurs significant overhead. In this paper, we propose a difference-based scheme which differences worm flows and normal flows to generate robust worm signatures. The proposed scheme is based on two observational facts - worm flows contain several invariant portions in their payloads, and core worm codes do not exist in normal flows. It uses samples of worm flows detected by available means to extract common tokens. It then differences the set of these tokens with those of normal flows and generates signature candidates. By using such signatures within enterprises, out of reach of worm writers, the possibility of being tricked by worm writers can be reduced. We evaluate the proposed scheme using real network traffic traces that contains worms. Experiment results show that the proposed scheme exhibits high detection rate with low false positives.
UR - http://www.scopus.com/inward/record.url?scp=33846325508&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=33846325508&partnerID=8YFLogxK
U2 - 10.1109/ISM.2005.49
DO - 10.1109/ISM.2005.49
M3 - Conference contribution
AN - SCOPUS:33846325508
SN - 0769524893
SN - 9780769524894
T3 - Proceedings - Seventh IEEE International Symposium on Multimedia, ISM 2005
SP - 680
EP - 685
BT - Proceedings - Seventh IEEE International Symposium on Multimedia, ISM 2005
T2 - Seventh IEEE International Symposium on Multimedia, ISM 2005
Y2 - 12 December 2005 through 14 December 2005
ER -