Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms

Author

Gundy, Matthew Van ; Chen, Hao ; Su, Zhendong ; Vigna, Giovanni

Author_Institution

Univ. of California, Davis

fYear

2007

fDate

10-14 Dec. 2007

Firstpage

74

Lastpage

85

Abstract

To combat the rapid infection rate of today´s Internet worms, signatures for novel worms must be generated soon after an outbreak. This is especially critical in the case of polymorphic worms, whose binary representation changes frequently during the infection process. In this paper, we examine the assumptions underlying two leading network-based signature generation systems for polymorphic worms: polygraph [14] and Hamsa [12]. By identifying an assumption of both systems not met by all vulnerabilities, we discover a class of vulnerabilities (feature omission vulnerabilities) that neither system can accurately characterize. We demonstrate the limitations of polygraph and Hamsa by testing the signatures that they generate for exploits targeting a feature omission vulnerability. We discuss why feature omission vulnerabilities are difficult to characterize and how increased semantic awareness can help the signature generation process.

Keywords

digital signatures; program testing; Hamsa; Internet worms; Polygraph; binary representation; feature omission vulnerabilities; infection process; network-based signature generation systems; polymorphic worms; signature generation thwarting; Application software; Bayesian methods; Character generation; Computer security; Computer worms; Filtering; Internet; Telecommunication traffic; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual

Conference_Location

Miami Beach, FL

ISSN

1063-9527

Print_ISBN

978-0-7695-3060-4

Type

conf

DOI

10.1109/ACSAC.2007.42

Filename

4412978