polygraph : automatically generating signatures for polymorphic worms
DESCRIPTION
POLYGRAPH : Automatically Generating Signatures for Polymorphic Worms. Authors : James Newsome, Brad Karp, Dawn Song PUBLICATION : IEEE Security and Privacy Symposium, May 2005 CLASS PRESENTATION BY : Anvita Priyam. POLYGRAPH. Intrusion Detection Systems(IDS) - PowerPoint PPT PresentationTRANSCRIPT
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
Authors: James Newsome, Brad Karp, Dawn Song
PUBLICATION: IEEE Security and Privacy Symposium, May 2005
CLASS PRESENTATION BY: Anvita Priyam
POLYGRAPH
Intrusion Detection Systems(IDS) > Monitor networking traffic for suspicious
activity > Alert the system or administrator > May block user or source IP
Signature based IDS > monitors packets on the n/w & compares them
against database of signatures
> lag in case of a new threat
POLYGRAPH
Currently Used Techniques By IDS
> string matching at arbitrary payload offsets
> string matching at fixed payload offsets
> matching of regular expressions within a
flow’s payload
POLYGRAPH
Polymorphic Worm > changes its appearance with every instance
> byte sequences of worm instances vary
> code remains the same
Mechanism > encrypt the code with a random key
> generate a short decryptor(PD)
> PD and the key keep changing
POLYGRAPH
Motivation for automating signatures
> earlier, signatures were generated
manually
> slow paced
POLYGRAPH
Polygraph comes into picture
> signatures consist of multiple disjoint content
substring
> substrings: protocol framing, return addresses, poorly obfuscated code
> often present in all variants of a payload
PS: It does not consider single substring signature
POLYGRAPH
Underlying Assumption > possible to generate signatures automatically that
match the many variants of PW
> offer low false positives and low false negatives
BASIS > share invariant content as they exploit same
vulnerability
POLYGRAPH
Sources of Invariant Content
> Exploit Framing( e.g., reserved keywords,
binary constants that are part of wire protocol)
> Exploit Payload
POLYGRAPH
Signature Classes for PW
> Conjunction Signatures
> Token Subsequence Signature
> Bayes Signature
POLYGRAPH
Conjunction Signatures
> signature consists of a set of tokens
> all the tokens must match
> order of matching is not particular
POLYGRAPH
Token-subsequence Signatures
> consists of ordered set of tokens
> identical ordering is required for a match
> can be easily expressed as regular expressions
> more specific compared to conjunction signature
POLYGRAPH
Bayes Signature
> associated with a score and an overall threshold
> instead of exact matching it provides probabilistic
matching
> construction and matching is less rigid
POLYGRAPH
ARCHITECTURE
N/Wtap
Flowclassifier PSG
SignatureEvaluator
SuspiciousFlow Pool
InnocuousFlow Pool
POLYGRAPH
Design Goals
> Signature quality
> Efficient signature generation
> Efficient signature matching
> Generation of small signature sets
> Robustness against noise and multiple worms
> Robustness against evasion and subversion
POLYGRAPH
Signature Generation Algorithms > Pre-processing: Token extraction
> first step to eliminate irrelevant parts
> extract all distinct substrings of min length
> Generating single signatures
> for conjunction signature just use token
extraction, signature is this set of tokens
> for token subsequence signature find a
subsequence of tokens that is present in
sample. Iteratively apply string alignment
POLYGRAPH
Signature Generation Algo( cont’d)
> for bayes signature
> choose set of tokens
> calculate empirical probability of occurrence
> each token is then assigned a score
> if greater than threshold classified as worm
POLYGRAPH
Generating Multiple Signatures
> Bayes signature remains unmodified
> Token subsequence and conjunction algos
require clustering
POLYGRAPH
Experimental Results > Single Polymorphic worm
> Apache-Knacker Exploit
> Conjunction signatures( .0024% False+,0% False-)
> Token-subsequence(.0008% False+,0% False-)
> Bayes signatures(.008% False+,0% False-)
> BIND-TSIG Exploit
> Conjunction signatures(0% False+ & False-)
> Token-Subsequence(0% False+ & False-)
> Bayes Signatures(.0023% False+,0% False-)
POLYGRAPH
Experimental Results (cont’d) > Single polymorphic worm & noise
> conjunction & token subsequence signatures remain
the same
> Bayes signatures are not affected by noise until it
grows beyond 80%
> Multiple polymorphic worms & noise
> conjunction & token subsequence signatures are
generated for each type of worm.
> only one bayes signature is generated that matches
all the worms.
POLYGRAPH
CONCLUSION
> content based filtering holds great promise for
tackling PW
> Polygraph automatically derives signatures for PW
> It generates high quality signatures even in the
presence of multiple flows and noise
> rumors of demise of content based filtering is
exaggerated
POLYGRAPH
WEAKNESS
> very little insight into how PWs function
> payload invariance assumptions are naïve
> no clear reference to situational applications of
signature generation algorithms
POLYGRAPH
SUGGESTIONS > should be more informative on initial topics
> a wider range of studies required