蠕虫正则表达式特征自动提取技术研究

doi:10.3969/j.issn.1000-436x.2013.03.018

摘要/Abstract

摘要：

提出一种实用的蠕虫正则表达式特征自动提取方法，该方法由蠕虫传播网络流样本获取、特征树生成、高假阳性特征剔除、特征融合这4步组成。该方法的优点是可输出具有强描述能力的包含“.*”、“.{k}”、“|”、“(c){k}”等元字符的正则表达式特征。基于蜜罐系统(Honeybow)实现了该方法，并针对互联网上数种真实蠕虫进行了实验。实验结果表明，该方法可以准确地提取真实蠕虫的正则表达式特征，可以在蜜罐、蠕虫及恶意代码分析等系统中应用。

关键词: 蠕虫, 恶意代码, 特征提取, 特征树, 正则表达式, 蜜罐, 入侵检测

Abstract:

A practical worm regular expression of automatic extraction method was presented,which involves four steps:sample collection from worm propagation, signature tre generation, removal of high false-positive signatures, and sig-nature merging. The advantage of this method is that it can directly output expression signature with the rich syntax of“.*”, “.{k}”, “|”, “(c){k}”. Based on the honeypot system Honeybow deployed in Internet, the method was implemented and evaluated by several in-wild worms under real Internet environment. The experiment results show that the method can generate accurate regular expression signatures for real worms and is promising for the applications of automatic analysis of worms and malwares.

Key words: worm, malware, signature generation, signature tree, regular expression, honeybow, intrusion detection

唐勇,诸葛建伟,陈曙晖,卢锡城. 蠕虫正则表达式特征自动提取技术研究[J]. 通信学报, 2013, 34(3): 141-147.

Yong TANG,Jian-wei ZHUGE,Shu-hui CHEN,Xi-cheng LU. Automatic generating regular expression signatures for real network worms[J]. Journal on Communications, 2013, 34(3): 141-147.

图/表 6

图1

图2

图3

表1

表2

提取的真实蠕虫的正则表达式特征"

蠕虫名称	样本数量运行时间/	特征树节点数量	归并后的输出的正则表达式特征	假阳性	假阴性
virut.n	31/719	6	.0x000x000x00.{1}0xffSMBr0x000x000x000x00(0x18S0xc80\|0x080x01@)0x00{14}.{2}0x00.{3}0x00.{1}0x000x02PC NETWORK PROGRAM 1..00x000x02LANMAN1.0.0x000x02LM1.2X002.0x000x02NT LM 0.120x000x000x00.{2}0xffSM Bs0x000x000x000x00.{3}0x000x000x00.0x00{9}.0x000x000x00.0x000x000x000x00.{1}0xff.0x000x000x00.{3}0x00{7}.0x000x000x000x00.0x000x00.0x010x00.	0	0
virut.as	40/902	9	1.0x810x000x00H CKFDENECFDEFFCFGEFFC(CA){6}0x00 EMEPEDEBEMEIEPFDFE(CA){6}AA0x000x000x{5}.{1}0xffSMBr0x000x000x000x00.{3}0x00{14}.{2}0x00.{1}0x00.{1}0x00.{1}0x000x02PC NETWORKPROGRAM 1..00x000x02LANMAN1.0.0x000x02LM1.2X002.0x000x02NT LM .120x000x000x00.{2}0xffSMBs0x000x000x000x00.{3}0x000x000x00.0x00{9}.0x000x000x00.0x000x000x000x00.{1}0xff.0x000x000x00.{3}0x00{6}.0x000x000x000x00.0x000x00.0x010x00."2. .0x000x000x000xa80xffSMBr0x000x000x000x000x080x01@0x00{14}0x020x000x08.{2}0x000x850x000x02PCNETWORK PROGRAM 1.00x000x02MICROSOFT NETWORKS 1.030x00 SOFT NETWORKS 00x000x02LANMAN1.00x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LANMAN 1.00x000x02NT LM 0.120x000x000x000x00b0xffSM Bs0x000x000x000x000x080x01@0x00{14}0x020x000x08.{2}0x0d0xff0x000x000x000x00D0x020x000xfc0x090x00{12}0xf00x000x000x00%0x000x000x00Windows 2000 21950x00Windows 2000 5.00x000x000x000x00D0xffSMBu0x000x000x000x000x180x01 0x00{14}0x020x000x08.{2}0x040xff0x00{5}x010x000x190x000x00\\.SMBSERVER\IPC$0x00?????0x000x000x000x00Y0xffSMB0xa20x000x000x000x000x180x01 0x00{12}0x08 0x020x000x08.{2}0x180xff0x000x000x000x000x050x000x160x00{7}x9f0x010x020x00{13}0x070x000x000x000x010x000x000x00@0x000x000x000x020x000x000x000x000x060x00\samr0x000x000x000x000x920xffSMB%0x000x000x000x000x180x01 0x000{13}x08 0x020x000x08.{2}0x100x000x00H0x000x000x040xe00xff0x00{12}J0x00H0x00J0x000x020x00＆0x000x00@O0x00\PIPE\0x000x050x000x0b0x030x100x000x000x00H0x00{6}xd00x160xd00x160x000x000x000x000x010x00{5}x010x00j(0x1990x0c0xb10xd00x110x9b0xa80x000xc0O0xd9.0xf50x000x000x000x000x04]0x880x8a0xeb0x1c0xc90x110x9f0xe80x080x00+0x10H`0x020x00{5}x0c0xdf0xffSMB/0x000x000x000x000x180x01 0x00{13}0x08 0x020x000x08.{2}0x0e0xff0x000x000x000x00@0x000x000x000x000xff0xff0xff0xff0x080x000xa00x0c0x000x000xa00x0c?0x00{5}xa00x0c0x050x000x000x010x100x000x000x000xa00x0c0x00{6}x880x0c0x000x000x000x000x090x000xec0x030x00{6}xec0x030x000x000x90{160}0x810xc40xff0xef0xff0xffD0xeb0x020xebk0xe80xf90xff0xff fSUVW0x8bl$0x180x8bE＜0x8bT(x0x030xd50x8bJ0x180x8bZ 0x030xdd0xe32I0x8b40x8b0x030xf530xff0xfc30xc00xac80xe0t0x070xc10xcf0x0d0x030xf80xeb0xf2;$0x14u0xe10x8bZ$0x030xddf0x8b0x0cK0x8bZ0x1c0x030xdd0x8b0x040x8b0x030xc50xeb0x0230xc0_.	0	0
rbot.bsz	40/2160	1	0x810x000x00D KFDENECFDEFFCFGEFFC(CA){23}AA0x000x000x000x000x850xffSMBr0x000x000x000x000x18S0xc80x00{12}x0070x130x00{5}b0x000x02PC NETWORK PROGRAM 1.00x000x02LANMAN1.00x000x02Windows for Workgroups 3.1a0x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LM 0.120x000x000x000x100xbf0xffSMBs0x000x000x000x000x180x070xc80x00{12}x0070x130x000x000x000x000x0c0xff0x000x000x000x040x110x0a0x00{7}~0x100x000x000x000x000xd40x000x000x80~0x10`0x820x10z0x060x06+0x060x010x050x050x020xa00x820x10n00x820x10j0xa10x820x10f#0x820x10b0x030x820x040x010x00A{70}	0	0
Sasser.d	48/552	13	0x000x000x000x850xffSMBr0x000x000x000x000x18S0xc80x00{14}xff0xfe0x00{5}b0x000x02PC NETWORKPROGRAM 1.00x000x02LANMAN1.00x000x02Windows for Workgroups 3.1a0x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LM 0.120x000x000x000x000xa40xffSMBs0x000x000x000x000x180x070xc80x00{19}0x100x000x0c0xff0x000xa40x000x040x110x0a0x00{12}0x000xd40x000x000x80i0x00NTLMSSP0x000x010x000x000x000x970x820x080xe00x00{17}W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x000x0020x0010x0090x0050x000x000x00W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x00 0x0050x00.0x00{8}xda0xffSM Bs0x000x000x000x000x180x070xc80x00{14}xff0xfe0x000x08 0x000x0c0xff0x000xda0x000x040x110x0a0x00{7}x00W0x00{5}xd40x000x000x800x9f0x00NTLMSSP0x000x030x000x000x000x01 0x010x00F0x00{14}@0x00{7}@0x000x000x000x060x000x060x00@0x000x000x000x100x000x100x00G0x000x000x000x150x8a0x880xe0H0x00O0x00D0x000x000x810x19jz0xf20xe4I0x1c(0xaf0%t0x10gSW0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x000x0020x0010x0090x0050x000x000x00W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x00 0x0050x00.0x0000x00{8}[1]0xffSMBu0x000x000x000x000x180x070xc80x00{14}0xff0xfe0x000x0800x000x040xff0x00\0x000x080x000x010x00.{1}0x000x00\0x00\0x0010x0090x0020x00.0x0010x0060x0080x00.0x00.0x00.0x00.{1}0x00.{1}0x00\0x00i0x00p0x00c0x00$0x000x000x00?????0x000x000x000x00d0xffSMB0xa20x000x000x000x000x180x070xc80x00{13}x080xdc0x040x000x08@0x000x180xff0x000xde0xde0x000x0e0x 160x00{7}x9f0x010x020x00{13}x030x000x000x000x010x000x000x00@0x000x000x000x020x000x000x000x030x110x000x00\0x00l0x00s0x00a0x00r0x00p0x00c0x00{6}x9c0xffSMB%0x000x000x000x000x180x070xc80x00.{13}x080xdc0x040x000x08P0x000x100x000x00H0x000x000x000x000x040x00{12}x00T0x00H0x00T0x000x020x00＆0x000x00@Y0x000x10\0x00P0x00I0x00P0x00E0x00\0x00{5}x050x000x0b0x030x100x000x000x00H0x000x000x000x010x000x000x000xb80x100xb80x100x000x000x000x000x010x00{5}0x010x00j(0x1990x0c0xb10xd00x110x9b0xa80x000xc0O0xd9.0xf50x000x000x000x000x04]0x880x8a0xeb0x1c0xc90x110x9f0xe80x080x00+0x10H`0x020x00{5}0x0c0xf40xffSM B%0x000x000x000x000x180x070xc80x00{13}0x080xdc0x040x000x08`0x000x100x000x000xa00x0c0x000x000x000x040x00{12}T0x000xa00x0cT0x000x020x00＆0x000x00@0xb10x0c0x10\0x00P0x00I0x00P0x00E0x00\0x00{5}0x050x000x000x030x100x000x000x000xa00x0c0x000x000x010 x000x000x880x0c0x000x000x000x000x090x000xec0x030x00{6}xec0x03*0x900x900x900x900x900x900x900x900x90"	0	0

表2

表3

参考文献 16

[1]	FOGLAP , SHARIFM , PERDISCIR , et al. Polymorphic blending attacks[A]. Proceedings of the 15th Conference on USENIX Security Symposium[C]. Berkeley, CA, USA, 2006,17.
[2]	GUNDYM V , BALZAROTTID , FIELDSCHEMAG V . Catch me, if you can: evading network signatures with Web-based polymorphic worms[A]. Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT)[C]. Boston, MA,USA, 2007.
[3]	唐勇, 卢锡城, 王勇军 . 攻击特征自动提取技术综述[J]. 通信学报, 2009,30(2): 96-105. TANGY , LUX C , WANGY J . Survey of automatic attack s gnature generation[J]. Journal on Communications, 2009,30(2): 96-105.
[4]	KREIBICHC , CROWCROFTJ . Honeycomb-creating intrusion detection signatures using honeypots[A]. Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II)[C]. Boston, 2003. 51-56.
[5]	WANGK , CRETUG , STOLFOS J . Anomalous payload-based worm detection and signature generation[A]. Proceedings of Recent Ad-vances in Intrusion Detection (RAID)[C]. 2003. 227-246.
[6]	SINGHS , ESTANC , VARGHESEG , et al. Automated worm finger-printing[A]. Proceedings of the 6th USENIX OSDI[C]. 2004. 45-60.
[7]	KIMH A , KARPB . Autograph: toward automated, distribu worm signature detection[A]. Proceedings of USENIX Security Sympo-sium[C]. 2004. 271-286.
[8]	SINGHS , ESTANC , VARGHESEG , et al. Automated worm finger-printing[A]. Proceedings of the 6th USENIX OSDI[C]. San Francisco, CA, 2004. 45-60.
[9]	NEWSOMEJ , KARPB , SONGD . Polygraph: automatically generat-ing signatures for polymorphic worms[A]. Proceedings of IEEE Sym-posium on Security and Privacy[C]. Washington, DC, USA, 2005. 226-241.
[10]	LIZ , SANGHIM , CHENY , et al. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. Wash-ington, DC, USA, 2006. 32-47.
[11]	YEGNESWARANV , GIFFINJ T , BARFORDP , et al. An architec-ture for generating semantics-aware signatures[A]. Proceedings of the 14th USENIX Security Symposium[C]. Baltimore, MD, USA, 2005. 97-112.
[12]	唐勇, 卢锡城, 胡华平等. 基于多序列联配的攻击特征自动提取技术研究[J]. 计算机学报, 2006,29(9): 1533-1541. TANGY , LUX C , HUH P , et al. Automatic generation of attack sig-natures based on multi-sequence alignment[J]. Chinese Journal of computers, 2006,29(9): 1533-1541.
[13]	TANGY , LUX , XIAOB . Generating simplified regular expression Signatures for polymorphic worms[A]. Proceedings of the 4th Interna-tional Conference on Autonomic and Trusted Computing (ATC-07)[C]. 2007. 478-488.
[14]	TANGY , LUX , XIAOB . Using a bioinformatics approach to gener-ate accurate exploit-based signatures for polymorphic worms[J]. Comput, Secur, 2009.
[15]	诸葛建伟, 韩心慧, 周勇林等. HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J]. 通信学报, 2007,28(12): 8-13. ZHUGEJ W , HANX H , ZHOUY L , et al. HoneyBow:an automated malware collection tool based on the high-interaction honeypot prin-ciple[J]. Journal on Communications, 2007,28(12): 8-13.
[16]	LIPPMANNR , HAINESJ W , FRIEDD J , et al. The 1999 DARPA off-line intrusion detection evaluation[J]. Comput, Networks, 2000,34(4): 579-595.

方法	生成的特征	性能/s
早期单个子串方法^[4,5]	‘.ida?' or ‘%u7801’	18.5
子串序列方法^[9]	GET /..ida?.XX.%u.%u7801.*HTTP/1.0\r\n	11
子串集合方法^[10]	{‘.ida? ': 1, ‘%u780':1,‘HTTP/1.0\r\n':1,‘GET/': 1,‘%u': 2}	12.5
简单正则表达式方法^[13]	‘GET/'.‘.ida?'.‘XX'[15]%u.%u780.=.[7]HTTP/1.0\r\n	869
本文方法	GET/..ida?.XX.[15]%u.%u780.=(aaa\|bbb\|ccc)HTTP/1.0\r\n	42

方法			特征准确性
方法	能否提取多个特征片段	能否提取长度极短的特征片段	能否提取特征片段之间的顺序（.）*	能否提取特征片段之间的距离关系（.{k}）	能否提取特征片段的或关系（\|）
早期方法^[4,5,8]	v	×	×	×	v
Polygraph^[9]	v	×	v	×	×
Hamsa^[10]	v	×	×	×	v
文献[12]	v	v	v	×	×
SRE^[13,14]	v	v	v	v	×
本文方法	v	v	v	v	v