An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature

Sureswaran Ramadass; Shubair A. Abdulla; Altyeb Altaher Altyeb

doi:10.1109/ICBNMT.2011.6155891

An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature

Sureswaran Ramadass^*, Shubair A. Abdulla, Altyeb Altaher Altyeb

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Citation (Scopus)

Abstract

Polymorphic worms evade network security systems by varying their payload every time an infection is attempted. The payload's variation operation is performed by using built-in self content encryptor. However, all encrypted payloads share the same invariant exploit code to ensure exploiting same vulnerability in same manner on all victims. This research paper is an endeavor to interpret the invariant part into signature. The basic idea of the proposed method is to assemble attacking payloads on a honeypot, and then extracting the worm's signature by using a matching technique. The experiments were conducted on two datasets, Witty worm's payloads and synthetic payloads, and have demonstrated promising results.

Original language	English
Title of host publication	Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011
Pages	37-41
Number of pages	5
DOIs	https://doi.org/10.1109/ICBNMT.2011.6155891
Publication status	Published - 2011
Externally published	Yes
Event	2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011 - Shenzhen, China Duration: Oct 28 2011 → Oct 30 2011

Publication series

Name	Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011

Conference

Conference	2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011
Country/Territory	China
City	Shenzhen
Period	10/28/11 → 10/30/11

Keywords

exploit code
intrusion detection systems
synthetic worms
worm signature

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1109/ICBNMT.2011.6155891

Cite this

Ramadass, S., Abdulla, S. A., & Altyeb, A. A. (2011). An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature. In Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011 (pp. 37-41). Article 6155891 (Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011). https://doi.org/10.1109/ICBNMT.2011.6155891

An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature. / Ramadass, Sureswaran; Abdulla, Shubair A.; Altyeb, Altyeb Altaher.
Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011. 2011. p. 37-41 6155891 (Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Ramadass, S, Abdulla, SA & Altyeb, AA 2011, An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature. in Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011., 6155891, Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011, pp. 37-41, 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011, Shenzhen, China, 10/28/11. https://doi.org/10.1109/ICBNMT.2011.6155891

Ramadass S, Abdulla SA, Altyeb AA. An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature. In Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011. 2011. p. 37-41. 6155891. (Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011). doi: 10.1109/ICBNMT.2011.6155891

Ramadass, Sureswaran ; Abdulla, Shubair A. ; Altyeb, Altyeb Altaher. / An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature. Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011. 2011. pp. 37-41 (Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011).

@inproceedings{193ea60f78324983a93ce2c8a4937c32,

title = "An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature",

abstract = "Polymorphic worms evade network security systems by varying their payload every time an infection is attempted. The payload's variation operation is performed by using built-in self content encryptor. However, all encrypted payloads share the same invariant exploit code to ensure exploiting same vulnerability in same manner on all victims. This research paper is an endeavor to interpret the invariant part into signature. The basic idea of the proposed method is to assemble attacking payloads on a honeypot, and then extracting the worm's signature by using a matching technique. The experiments were conducted on two datasets, Witty worm's payloads and synthetic payloads, and have demonstrated promising results.",

keywords = "exploit code, intrusion detection systems, synthetic worms, worm signature",

author = "Sureswaran Ramadass and Abdulla, {Shubair A.} and Altyeb, {Altyeb Altaher}",

year = "2011",

doi = "10.1109/ICBNMT.2011.6155891",

language = "English",

isbn = "9781612841564",

series = "Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011",

pages = "37--41",

booktitle = "Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011",

note = "2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011 ; Conference date: 28-10-2011 Through 30-10-2011",

}

TY - GEN

T1 - An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature

AU - Ramadass, Sureswaran

AU - Abdulla, Shubair A.

AU - Altyeb, Altyeb Altaher

PY - 2011

Y1 - 2011

N2 - Polymorphic worms evade network security systems by varying their payload every time an infection is attempted. The payload's variation operation is performed by using built-in self content encryptor. However, all encrypted payloads share the same invariant exploit code to ensure exploiting same vulnerability in same manner on all victims. This research paper is an endeavor to interpret the invariant part into signature. The basic idea of the proposed method is to assemble attacking payloads on a honeypot, and then extracting the worm's signature by using a matching technique. The experiments were conducted on two datasets, Witty worm's payloads and synthetic payloads, and have demonstrated promising results.

AB - Polymorphic worms evade network security systems by varying their payload every time an infection is attempted. The payload's variation operation is performed by using built-in self content encryptor. However, all encrypted payloads share the same invariant exploit code to ensure exploiting same vulnerability in same manner on all victims. This research paper is an endeavor to interpret the invariant part into signature. The basic idea of the proposed method is to assemble attacking payloads on a honeypot, and then extracting the worm's signature by using a matching technique. The experiments were conducted on two datasets, Witty worm's payloads and synthetic payloads, and have demonstrated promising results.

KW - exploit code

KW - intrusion detection systems

KW - synthetic worms

KW - worm signature

UR - http://www.scopus.com/inward/record.url?scp=84858238241&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84858238241&partnerID=8YFLogxK

U2 - 10.1109/ICBNMT.2011.6155891

DO - 10.1109/ICBNMT.2011.6155891

M3 - Conference contribution

AN - SCOPUS:84858238241

SN - 9781612841564

T3 - Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011

SP - 37

EP - 41

BT - Proceedings - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011

T2 - 2011 4th IEEE International Conference on Broadband Network and Multimedia Technology, IC-BNMT 2011

Y2 - 28 October 2011 through 30 October 2011

ER -

An automatic, prompt, and accurate exploit-based method to generate polymorphic worm's signature

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Cite this