基于种子——扩充的多态蠕虫特征自动提取方法

doi:10.3969/j.issn.1000-436x.2014.09.002

Abstract

Abstract:

A polymorphic worm signature generation approach based on seed-extending,SESG,was proposed.Firstly,algorithm SESG puts all sequences into a queue based on their weight.Seed sequence in the queue is extended,and all kinds of worm sequences and noise sequences are classified.Finally,worm signature is generated from classified worm sequences.Experiments are run to test SESG and compared with other approaches.Experiment results show that SESG can classify worm sequences and noise sequences from suspicious flow pool over other existed approaches,which can generate effective worm signature more easily.

Key words: nformation security, seed-extending algorithm, polymorphic worm, worm detection, worm signature

Jie WANG,Xiao-xian HE. Automated polymorphic worm signature generation approach based on seed-extending[J]. Journal on Communications, 2014, 35(9): 12-19.

Figures/Tables 21

References 28

[1]	文伟平，卿斯汉，蒋建春等．网络蠕虫研究与进展[J]．软件学报， 2004,15(8):1208-1219. WENG W P , QING S H , JIANG J C , et al. Research and development of internet worms[J]. Journal of Software, 2004,15(8):1208-1219.
[2]	和亮，冯登国，王蕊等．基于MapReduce的大规模在线社交网络蠕虫仿真[J]．软件学报， 2013,24(7):1666-1682. HE L , FENG D G , WANG R , et al. Mapreduce-based large-scale online social network worm simulation[J]. Journal of Software, 2013,24(7):1666-1682.
[3]	苏飞，林昭文，马严等． IPv6网络环境下的蠕虫传播模型研究[J]．通信学报， 2011,32(9):51-60. SU F , LIN Z W , MA Y , et al. Research on worm propagation model in IPv6 networks[J]. Journal on Communications, 2011,32(9):51-60.
[4]	吴国政，秦志光．大规模对等网络蠕虫仿真技术研究[J]．通信学报， 2011,32(8):128-135. WU G Z , QIN Z G . Research on large-scale P2P worm simulation[J]. Journal on Communications, 2011,32(8):128-135.
[5]	张伟，王汝传，李鹏．基于云安全环境下的蠕虫传播模型[J]．通信学报， 2012,33(4):17-24. ZHANG W , WANG R C , LI P . Worm propagation modeling in cloud security[J]. Journal on Communications, 2012,33(4):17-24.
[6]	刘波，王怀民，肖枫涛等．面向异构网络环境下的蠕虫传播模型Enhanced-AAWP[J]．通信学报， 2011,32(12):103-113. LIU B , WANG H M , XIAO F T , et al. Enhanced-AAWP,a heteroge-neous network oriented worm propagation model[J]. Journal on Communications, 2011,32(12):103-113.
[7]	杨峰，段海新，李星．网络蠕虫扩散中蠕虫和良性蠕虫交互过程建模与分析[J]．中国科学(E辑)， 2004,34(8):841-856. YANG F , DUAN H X , LI X . Modeling and analyzing interaction be-tween network worm and antiworm during the propagation process[J]. Science in China Ser E, 2004,34(8):841-856.
[8]	肖枫涛，胡华平，刘波． HPBR：用于蠕虫检测的主机报文行为评级模型[J]．通信学报， 2008,29(10):108-116. XIAO F T , HU H P , LIU B . HPBR: host packet behavior ranking model used in worm detection[J]. Journal on Communications, 2008,29(10):108-116.
[9]	COMAR P M , LIU L , SAHA S , et al. Combining supervised and unsupervised learning for zero-day malware detection[A]. Proceedings of 32nd Annual IEEE International Conference on Computer Commu-nications (INFOCOM 2013)[C]. Turin,Italy, 2013.2022-2030.
[10]	KAUR R. , SINGH M . Efficient hybrid technique for detecting zero-day polymorphic worms[A]. 2014 IEEE International Advance Computing Conference (IACC)[C]. Gurgaon,India, 2014.95-100.
[11]	唐勇，诸葛建伟，陈曙晖等．蠕虫正则表达式特征自动提取技术研究[J]．通信学报， 2013,34(3):141-147. TANG Y , ZHUGE J W , CHEN S H , et al. Automatic generating regu-lar expression signatures for real network worms[J]. Journal on Communications, 2013,34(3):141-147.
[12]	王平，方滨兴，云晓春．基于自动特征提取的大规模网络蠕虫检测[J]．通信学报， 2006,27(6):87-93. WANG P , FANG B X , YUN X C . Large scale network worm detection using automatic signature extraction[J]. Journal on Communications, 2006,27(6):87-93.
[13]	KAUR R , SINGH M . A survey on zero-day polymorphic worm detec-tion techniques[J]. IEEE Communications Surveys ＆ Tutorials, 2014:1-30.
[14]	PORTOKALIDIS G , BOS H . Sweetbait: zero-hour worm detection and containment using low-and high-interaction honeypots[J]. Computer Networks, 2007,51(5):1256-1274.
[15]	CAI M , HWANG K , PAN J , et al. Wormshield: fast worm signature generation with distributed fingerprint aggregation[J]. IEEE Transac-tions on Dependable and Secure Computing, 2007,4(2):88-104.
[16]	RANJAN S , SHAH S , NUCCI A , et al. Dowitcher: effective worm detection and containment in the internet core[A]. IEEE INFOCOM 2007[C]. Alaska,USA, 2007.2541-2545.
[17]	MOHAMMED MMZE , CHAN H A , VENTURA N , et al. An auto-mated signature generation method for zero-day polymorphic worms based on multilayer perceptron model[A]. 2013 International Confer-ence on Advanced Computer Science Applications and Technologies (ACSAT)[C]. Zhengzhou,China, 2013.450-455.
[18]	YEGNESWARAN V , GIFFIN J T , BARFORD P , et al. An architecture for generating semantics-aware signatures[A]. Proceedings of the 14th Conference on USENIX Security Symposium[C]. Baltimore, 2005.
[19]	NEWSOME J , KARP B , SONG D . Polygraph: automatically generat-ing signatures for polymorphic worms[A]. Proceedings of 2005 IEEE Symposium on Security and Privacy Symposium[C]. Oakland,California, 2005.226-241.
[20]	LI Z , SANGHI M , CHEN Y , et al. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. Berkeley/Oakland,California, 2006.32-47.
[21]	CAVALLARO L , LANZI A , MAYER L , et al. LISABETH: automated content-based signature generator for zero-day polymorphic worms[A]. Proceedings of the Fourth International Workshop on Software Engi-neering for Secure Systems[C]. Berlin,Germany, 2008.41-48.
[22]	BAYOGLU B , SOGUKPINAR I . Polymorphic worm detection using token-pair signatures[A]. Proceedings of the 4th International Work-shop on Security,Privacy and Trust in Pervasive and Ubiquitous Com-putting[C]. New York,USA, 2008.7-12.
[23]	MOHAMMED MMZE , CHAN H A , VENTURA N . Honeycyber:automated signature generation for zero-day polymorphic worms[A]. IEEE Military Communications Conference,MILCOM 2008[C]. New York,USA, 2008.1-6.
[24]	WANG J , WANG J X , CHEN J E , et al. An automated signature gen-eration approach for polymorphic worm based on color coding[A]. IEEE ICC 2009[C]. Dresden,Germany, 2009.1-6.
[25]	TANG Y , XIAO B , LU X , et al. Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms[J]. Computers ＆ Security, 2009,28(8):827-842.
[26]	TANG Y , CHEN S . An automated signature-based approach against polymorphic internet worms[J]. IEEE Transactions on Parallel and Distributed Systems, 2007,18(7):879-892.
[27]	BAYOGLU B , SOGUKPINAR L . Graph based signature classes for detecting polymorphic worms via content analysis[J]. Computer Networks, 2012,56(2):832-844.
[28]	汪洁，王建新，刘绪崇．基于近邻关系特征的多态蠕虫防御方法[J]．通信学报， 2011,32(8):150-158. WANG J , WANG J X , LIU X C . Novel approach based on neighbor-hood relation signature against polymorphic Internet worms[J]. Journal on Communications, 2011,32(8):150-158.

Metrics

Recommended 0

No Suggested Reading articles found!

类别	噪音序列	Blaster蠕虫
1组	16条序列	0条序列
2组	30条序列	0条序列
3组	0条序列	50条序列
4组	4条序列	0条序列

类别	噪音序列	Blaster蠕虫
1组	8条序列	50条
2组	42条序列	0条

测试	GNRS	CCSF	Normalized Cuts+NRS	SESG+NRS
误报率	0.4315	0	0.1017	0
漏报率	0	0	0	0

类别	SQL Slammer蠕虫序列	Blaster蠕虫序列
1组	0条序列	50条序列
2组	50条序列	0条序列

类别	SQL Slammer蠕虫序列	Blaster蠕虫序列
1组	50条序列	2条序列
2组	0条序列	48条序列

Automated polymorphic worm signature generation approach based on seed-extending

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 21

References 28

Related Articles 15

Metrics

Recommended 0

类别	SQL Slammer蠕虫序列(33)	噪音序列(33)	Blaster蠕虫序列(34)
1组	33条	0条	0条
2组	0条	0条	34条
3组	0条	22条	0条
4组	0条	9条	0条
5组	0条	2条	0条

测试	GNRS	NC+NRS		SESG+NRS
测试	GNRS	第1组	第3组	SESG+NRS
漏报率	0	0	0	0
误报率	0.326 6	0.422 1	0	0

类别	ATPhttp蠕虫序列（25条）	Blaster蠕虫序列（25条）	Apache-Knacker蠕虫序列（25条）	SQL Slammer蠕虫序列（25条）
1组	0条	0条	0条	25条
2组	0条	25条	0条	0条
3组	25条	0条	0条	0条
4组	0条	0条	25条	0条

类别	噪音序列（20条）	ATPhttp蠕虫序列（20条）	Apache-Knacker蠕虫序列（20条）	SQL Slammer蠕虫序列（20条）	Blaster蠕虫序列（20条）
1组	0条	0条	0条	20条	0条
2组	0条	0条	0条	0条	20条
3组	0条	20条	0条	0条	0条
4组	0条	0条	20条	0条	0条
5组	13条	0条	0条	0条	0条
6组	5条	0条	0条	0条	0条
7组	2条	0条	0条	0条	0条

[1]	Weiyu CHEN, Junshan LUO, Fanggang WANG, Haiyang DING, Shilian WANG, Guojiang XIA. Survey of capacity limits and implementation techniques in wireless covert communication [J]. Journal on Communications, 2022, 43(8): 203-218.
[2]	Han ZHANG,Yongjin HU,Yuanbo GUO,Jicheng CHEN. Research on coreference resolution technology of entity in information security [J]. Journal on Communications, 2020, 41(2): 165-175.
[3]	Xi YIN,Weiqing HUANG. Research on color QR code watermarking technology based on chaos theory [J]. Journal on Communications, 2018, 39(7): 50-58.
[4]	Qin WANG,Jianming ZHU. Research on the game of information security investment based on the Gordon-Loeb model [J]. Journal on Communications, 2018, 39(2): 174-182.
[5]	Tao FENG,Ye LU,Jun-li FANG. Research on vulnerability and security technology of industrial Ethernet protocol [J]. Journal on Communications, 2017, 38(Z2): 185-196.
[6]	Guang-ming TANG,Yi SUN,Xiao-yu XU,Yu WANG. Adaptive JPEG steganography based on distortion cost updating [J]. Journal on Communications, 2017, 38(9): 1-8.
[7]	Mu-zhou LIU,Jian-shu QIU,Yun-yong ZHANG,Bin-feng YAN,Si-yao ZHANG,Ya-fei TANG. Certificate integration management platform based on identity key [J]. Journal on Communications, 2016, 37(Z1): 197-203.
[8]	Tao WEN,Yu-qing ZHANG,Qi-xu LIU,Gang YANG. UVDA:design and implementation of automation fusion framework of heterogeneous security vulnerability database [J]. Journal on Communications, 2015, 36(10): 235-244.
[9]	Yu-qing ZHANG,Qian-ru WU,Qi-xu LIU,Ying DONG. Research on security of third-party tracking [J]. Journal on Communications, 2014, 35(9): 1-11.
[10]	. Predicting users’ profiles in social network based on semi-supervised learning [J]. Journal on Communications, 2014, 35(8): 3-22.
[11]	. Survey on security and privacy preserving for mobile internet service [J]. Journal on Communications, 2014, 35(11): 1-8.
[12]	Jian-ming ZHU,Biao SONG,Qi-fa HUANG. Evolution game model of offense-defense for network security based on system dynamics [J]. Journal on Communications, 2014, 35(1): 54-61.
[13]	Chan DONG,Xiu-bin FAN,You-wen LI,Jian-rong WANG. Secret level valuation method of BLP model based on some application properties [J]. Journal on Communications, 2013, 34(9): 142-149.
[14]	Wei-wei LI. Correlation-immunity study of balanced H-Boolean functions [J]. Journal on Communications, 2013, 34(8): 82-87.
[15]	. Correlation-immunity study of balanced H-Boolean functions [J]. Journal on Communications, 2013, 34(8): 11-87.