蠕虫正则表达式特征自动提取技术研究

doi:10.3969/j.issn.1000-436x.2013.03.018

Abstract

Abstract:

A practical worm regular expression of automatic extraction method was presented,which involves four steps:sample collection from worm propagation, signature tre generation, removal of high false-positive signatures, and sig-nature merging. The advantage of this method is that it can directly output expression signature with the rich syntax of“.*”, “.{k}”, “|”, “(c){k}”. Based on the honeypot system Honeybow deployed in Internet, the method was implemented and evaluated by several in-wild worms under real Internet environment. The experiment results show that the method can generate accurate regular expression signatures for real worms and is promising for the applications of automatic analysis of worms and malwares.

Key words: worm, malware, signature generation, signature tree, regular expression, honeybow, intrusion detection

Yong TANG,Jian-wei ZHUGE,Shu-hui CHEN,Xi-cheng LU. Automatic generating regular expression signatures for real network worms[J]. Journal on Communications, 2013, 34(3): 141-147.

Figures/Tables 6

蠕虫名称	样本数量运行时间/	特征树节点数量	归并后的输出的正则表达式特征	假阳性	假阴性
virut.n	31/719	6	.0x000x000x00.{1}0xffSMBr0x000x000x000x00(0x18S0xc80\|0x080x01@)0x00{14}.{2}0x00.{3}0x00.{1}0x000x02PC NETWORK PROGRAM 1..00x000x02LANMAN1.0.0x000x02LM1.2X002.0x000x02NT LM 0.120x000x000x00.{2}0xffSM Bs0x000x000x000x00.{3}0x000x000x00.0x00{9}.0x000x000x00.0x000x000x000x00.{1}0xff.0x000x000x00.{3}0x00{7}.0x000x000x000x00.0x000x00.0x010x00.	0	0
virut.as	40/902	9	1.0x810x000x00H CKFDENECFDEFFCFGEFFC(CA){6}0x00 EMEPEDEBEMEIEPFDFE(CA){6}AA0x000x000x{5}.{1}0xffSMBr0x000x000x000x00.{3}0x00{14}.{2}0x00.{1}0x00.{1}0x00.{1}0x000x02PC NETWORKPROGRAM 1..00x000x02LANMAN1.0.0x000x02LM1.2X002.0x000x02NT LM .120x000x000x00.{2}0xffSMBs0x000x000x000x00.{3}0x000x000x00.0x00{9}.0x000x000x00.0x000x000x000x00.{1}0xff.0x000x000x00.{3}0x00{6}.0x000x000x000x00.0x000x00.0x010x00."2. .0x000x000x000xa80xffSMBr0x000x000x000x000x080x01@0x00{14}0x020x000x08.{2}0x000x850x000x02PCNETWORK PROGRAM 1.00x000x02MICROSOFT NETWORKS 1.030x00 SOFT NETWORKS 00x000x02LANMAN1.00x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LANMAN 1.00x000x02NT LM 0.120x000x000x000x00b0xffSM Bs0x000x000x000x000x080x01@0x00{14}0x020x000x08.{2}0x0d0xff0x000x000x000x00D0x020x000xfc0x090x00{12}0xf00x000x000x00%0x000x000x00Windows 2000 21950x00Windows 2000 5.00x000x000x000x00D0xffSMBu0x000x000x000x000x180x01 0x00{14}0x020x000x08.{2}0x040xff0x00{5}x010x000x190x000x00\\.SMBSERVER\IPC$0x00?????0x000x000x000x00Y0xffSMB0xa20x000x000x000x000x180x01 0x00{12}0x08 0x020x000x08.{2}0x180xff0x000x000x000x000x050x000x160x00{7}x9f0x010x020x00{13}0x070x000x000x000x010x000x000x00@0x000x000x000x020x000x000x000x000x060x00\samr0x000x000x000x000x920xffSMB%0x000x000x000x000x180x01 0x000{13}x08 0x020x000x08.{2}0x100x000x00H0x000x000x040xe00xff0x00{12}J0x00H0x00J0x000x020x00＆0x000x00@O0x00\PIPE\0x000x050x000x0b0x030x100x000x000x00H0x00{6}xd00x160xd00x160x000x000x000x000x010x00{5}x010x00j(0x1990x0c0xb10xd00x110x9b0xa80x000xc0O0xd9.0xf50x000x000x000x000x04]0x880x8a0xeb0x1c0xc90x110x9f0xe80x080x00+0x10H`0x020x00{5}x0c0xdf0xffSMB/0x000x000x000x000x180x01 0x00{13}0x08 0x020x000x08.{2}0x0e0xff0x000x000x000x00@0x000x000x000x000xff0xff0xff0xff0x080x000xa00x0c0x000x000xa00x0c?0x00{5}xa00x0c0x050x000x000x010x100x000x000x000xa00x0c0x00{6}x880x0c0x000x000x000x000x090x000xec0x030x00{6}xec0x030x000x000x90{160}0x810xc40xff0xef0xff0xffD0xeb0x020xebk0xe80xf90xff0xff fSUVW0x8bl$0x180x8bE＜0x8bT(x0x030xd50x8bJ0x180x8bZ 0x030xdd0xe32I0x8b40x8b0x030xf530xff0xfc30xc00xac80xe0t0x070xc10xcf0x0d0x030xf80xeb0xf2;$0x14u0xe10x8bZ$0x030xddf0x8b0x0cK0x8bZ0x1c0x030xdd0x8b0x040x8b0x030xc50xeb0x0230xc0_.	0	0
rbot.bsz	40/2160	1	0x810x000x00D KFDENECFDEFFCFGEFFC(CA){23}AA0x000x000x000x000x850xffSMBr0x000x000x000x000x18S0xc80x00{12}x0070x130x00{5}b0x000x02PC NETWORK PROGRAM 1.00x000x02LANMAN1.00x000x02Windows for Workgroups 3.1a0x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LM 0.120x000x000x000x100xbf0xffSMBs0x000x000x000x000x180x070xc80x00{12}x0070x130x000x000x000x000x0c0xff0x000x000x000x040x110x0a0x00{7}~0x100x000x000x000x000xd40x000x000x80~0x10`0x820x10z0x060x06+0x060x010x050x050x020xa00x820x10n00x820x10j0xa10x820x10f#0x820x10b0x030x820x040x010x00A{70}	0	0
Sasser.d	48/552	13	0x000x000x000x850xffSMBr0x000x000x000x000x18S0xc80x00{14}xff0xfe0x00{5}b0x000x02PC NETWORKPROGRAM 1.00x000x02LANMAN1.00x000x02Windows for Workgroups 3.1a0x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LM 0.120x000x000x000x000xa40xffSMBs0x000x000x000x000x180x070xc80x00{19}0x100x000x0c0xff0x000xa40x000x040x110x0a0x00{12}0x000xd40x000x000x80i0x00NTLMSSP0x000x010x000x000x000x970x820x080xe00x00{17}W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x000x0020x0010x0090x0050x000x000x00W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x00 0x0050x00.0x00{8}xda0xffSM Bs0x000x000x000x000x180x070xc80x00{14}xff0xfe0x000x08 0x000x0c0xff0x000xda0x000x040x110x0a0x00{7}x00W0x00{5}xd40x000x000x800x9f0x00NTLMSSP0x000x030x000x000x000x01 0x010x00F0x00{14}@0x00{7}@0x000x000x000x060x000x060x00@0x000x000x000x100x000x100x00G0x000x000x000x150x8a0x880xe0H0x00O0x00D0x000x000x810x19jz0xf20xe4I0x1c(0xaf0%t0x10gSW0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x000x0020x0010x0090x0050x000x000x00W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x00 0x0050x00.0x0000x00{8}[1]0xffSMBu0x000x000x000x000x180x070xc80x00{14}0xff0xfe0x000x0800x000x040xff0x00\0x000x080x000x010x00.{1}0x000x00\0x00\0x0010x0090x0020x00.0x0010x0060x0080x00.0x00.0x00.0x00.{1}0x00.{1}0x00\0x00i0x00p0x00c0x00$0x000x000x00?????0x000x000x000x00d0xffSMB0xa20x000x000x000x000x180x070xc80x00{13}x080xdc0x040x000x08@0x000x180xff0x000xde0xde0x000x0e0x 160x00{7}x9f0x010x020x00{13}x030x000x000x000x010x000x000x00@0x000x000x000x020x000x000x000x030x110x000x00\0x00l0x00s0x00a0x00r0x00p0x00c0x00{6}x9c0xffSMB%0x000x000x000x000x180x070xc80x00.{13}x080xdc0x040x000x08P0x000x100x000x00H0x000x000x000x000x040x00{12}x00T0x00H0x00T0x000x020x00＆0x000x00@Y0x000x10\0x00P0x00I0x00P0x00E0x00\0x00{5}x050x000x0b0x030x100x000x000x00H0x000x000x000x010x000x000x000xb80x100xb80x100x000x000x000x000x010x00{5}0x010x00j(0x1990x0c0xb10xd00x110x9b0xa80x000xc0O0xd9.0xf50x000x000x000x000x04]0x880x8a0xeb0x1c0xc90x110x9f0xe80x080x00+0x10H`0x020x00{5}0x0c0xf40xffSM B%0x000x000x000x000x180x070xc80x00{13}0x080xdc0x040x000x08`0x000x100x000x000xa00x0c0x000x000x000x040x00{12}T0x000xa00x0cT0x000x020x00＆0x000x00@0xb10x0c0x10\0x00P0x00I0x00P0x00E0x00\0x00{5}0x050x000x000x030x100x000x000x000xa00x0c0x000x000x010 x000x000x880x0c0x000x000x000x000x090x000xec0x030x00{6}xec0x03*0x900x900x900x900x900x900x900x900x90"	0	0

References 16

[1]	FOGLAP , SHARIFM , PERDISCIR , et al. Polymorphic blending attacks[A]. Proceedings of the 15th Conference on USENIX Security Symposium[C]. Berkeley, CA, USA, 2006,17.
[2]	GUNDYM V , BALZAROTTID , FIELDSCHEMAG V . Catch me, if you can: evading network signatures with Web-based polymorphic worms[A]. Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT)[C]. Boston, MA,USA, 2007.
[3]	唐勇, 卢锡城, 王勇军 . 攻击特征自动提取技术综述[J]. 通信学报, 2009,30(2): 96-105. TANGY , LUX C , WANGY J . Survey of automatic attack s gnature generation[J]. Journal on Communications, 2009,30(2): 96-105.
[4]	KREIBICHC , CROWCROFTJ . Honeycomb-creating intrusion detection signatures using honeypots[A]. Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II)[C]. Boston, 2003. 51-56.
[5]	WANGK , CRETUG , STOLFOS J . Anomalous payload-based worm detection and signature generation[A]. Proceedings of Recent Ad-vances in Intrusion Detection (RAID)[C]. 2003. 227-246.
[6]	SINGHS , ESTANC , VARGHESEG , et al. Automated worm finger-printing[A]. Proceedings of the 6th USENIX OSDI[C]. 2004. 45-60.
[7]	KIMH A , KARPB . Autograph: toward automated, distribu worm signature detection[A]. Proceedings of USENIX Security Sympo-sium[C]. 2004. 271-286.
[8]	SINGHS , ESTANC , VARGHESEG , et al. Automated worm finger-printing[A]. Proceedings of the 6th USENIX OSDI[C]. San Francisco, CA, 2004. 45-60.
[9]	NEWSOMEJ , KARPB , SONGD . Polygraph: automatically generat-ing signatures for polymorphic worms[A]. Proceedings of IEEE Sym-posium on Security and Privacy[C]. Washington, DC, USA, 2005. 226-241.
[10]	LIZ , SANGHIM , CHENY , et al. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. Wash-ington, DC, USA, 2006. 32-47.
[11]	YEGNESWARANV , GIFFINJ T , BARFORDP , et al. An architec-ture for generating semantics-aware signatures[A]. Proceedings of the 14th USENIX Security Symposium[C]. Baltimore, MD, USA, 2005. 97-112.
[12]	唐勇, 卢锡城, 胡华平等. 基于多序列联配的攻击特征自动提取技术研究[J]. 计算机学报, 2006,29(9): 1533-1541. TANGY , LUX C , HUH P , et al. Automatic generation of attack sig-natures based on multi-sequence alignment[J]. Chinese Journal of computers, 2006,29(9): 1533-1541.
[13]	TANGY , LUX , XIAOB . Generating simplified regular expression Signatures for polymorphic worms[A]. Proceedings of the 4th Interna-tional Conference on Autonomic and Trusted Computing (ATC-07)[C]. 2007. 478-488.
[14]	TANGY , LUX , XIAOB . Using a bioinformatics approach to gener-ate accurate exploit-based signatures for polymorphic worms[J]. Comput, Secur, 2009.
[15]	诸葛建伟, 韩心慧, 周勇林等. HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J]. 通信学报, 2007,28(12): 8-13. ZHUGEJ W , HANX H , ZHOUY L , et al. HoneyBow:an automated malware collection tool based on the high-interaction honeypot prin-ciple[J]. Journal on Communications, 2007,28(12): 8-13.
[16]	LIPPMANNR , HAINESJ W , FRIEDD J , et al. The 1999 DARPA off-line intrusion detection evaluation[J]. Comput, Networks, 2000,34(4): 579-595.

Metrics

Recommended 0

No Suggested Reading articles found!

方法	生成的特征	性能/s
早期单个子串方法^[4,5]	‘.ida?' or ‘%u7801’	18.5
子串序列方法^[9]	GET /..ida?.XX.%u.%u7801.*HTTP/1.0\r\n	11
子串集合方法^[10]	{‘.ida? ': 1, ‘%u780':1,‘HTTP/1.0\r\n':1,‘GET/': 1,‘%u': 2}	12.5
简单正则表达式方法^[13]	‘GET/'.‘.ida?'.‘XX'[15]%u.%u780.=.[7]HTTP/1.0\r\n	869
本文方法	GET/..ida?.XX.[15]%u.%u780.=(aaa\|bbb\|ccc)HTTP/1.0\r\n	42

方法			特征准确性
方法	能否提取多个特征片段	能否提取长度极短的特征片段	能否提取特征片段之间的顺序（.）*	能否提取特征片段之间的距离关系（.{k}）	能否提取特征片段的或关系（\|）
早期方法^[4,5,8]	v	×	×	×	v
Polygraph^[9]	v	×	v	×	×
Hamsa^[10]	v	×	×	×	v
文献[12]	v	v	v	×	×
SRE^[13,14]	v	v	v	v	×
本文方法	v	v	v	v	v

Automatic generating regular expression signatures for real network worms

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 6

References 16

Related Articles 15

Metrics

Recommended 0

[1]	Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136.
[2]	Yifeng WANG, Yuanbo GUO, Qingli CHEN, Chen FANG, Renhao LIN. Method based on contrastive learning for fine-grained unknown malicious traffic classification [J]. Journal on Communications, 2022, 43(10): 12-25.
[3]	Qixu LIU, Junnan WANG, Jie YIN, Yanhui CHEN, Jiaxi LIU. Application of adversarial machine learning in network intrusion detection [J]. Journal on Communications, 2021, 42(11): 1-12.
[4]	Youliang TIAN,Yulong WU,Qiuxian LI. Optimum response scheme of intrusion detection based on information theory [J]. Journal on Communications, 2020, 41(7): 121-130.
[5]	Xinglan ZHANG,Shenglin YIN. Intrusion detection model of random attention capsule network based on variable fusion [J]. Journal on Communications, 2020, 41(11): 160-168.
[6]	Wei SUN,Peng ZHANG,Yongquan HE,Lichao XING. Attack detection method based on spatiotemporal event correlation in intranet environment [J]. Journal on Communications, 2020, 41(1): 33-41.
[7]	Hanxun ZHOU,Chen CHEN,Runze FENG,Junkun XIONG,Hong PAN,Wei GUO. Mobile malware traffic detection approach based on value-derivative GRU [J]. Journal on Communications, 2020, 41(1): 102-113.
[8]	HU Jianwei,CHE Xin,ZHOU Man,CUI Yanpeng. Incremental clustering method based on Gaussian mixture model to identify malware family [J]. Journal on Communications, 2019, 40(6): 148-159.
[9]	Yuan XU,Chao YANG,Li YANG. Single password authentication method for remote user based on mobile terminal assistance [J]. Journal on Communications, 2019, 40(2): 174-187.
[10]	Zhen ZHANG,Peng WEI,Yufeng LI,Julong LAN,Ping XU,Bo CHEN. Feature selection algorithm based on improved particle swarm joint taboo search [J]. Journal on Communications, 2018, 39(12): 60-68.
[11]	Yashu LIU,Zhihai WANG,Hanbing YAN,Yueran HOU,Yukun LAI. Method of anti-confusion texture feature descriptor for malware images [J]. Journal on Communications, 2018, 39(11): 44-53.
[12]	Bo CHEN,Yong-tao PAN,Tie-ming CHEN. Android malware detection method based on SimHash [J]. Journal on Communications, 2017, 38(Z2): 30-36.
[13]	Bing-lin ZHAO,Xi MENG,Jin HAN,Jing WANG,Fu-dong LIU. Homology analysis of malware based on graph [J]. Journal on Communications, 2017, 38(Z2): 86-93.
[14]	Hong-yu YANG,Jin XU. Android malware detection based on improved random forest [J]. Journal on Communications, 2017, 38(4): 8-16.
[15]	Ying-xu LAI,Zeng-hui LIU,Xiao-tian CAI,Kai-xiang YANG. Research on intrusion detection of industrial control system [J]. Journal on Communications, 2017, 38(2): 143-156.