Journal on Communications ›› 2013, Vol. 34 ›› Issue (3): 141-147.doi: 10.3969/j.issn.1000-436x.2013.03.018
• Technical Report • Previous Articles Next Articles
Yong TANG1,Jian-wei ZHUGE2,Shu-hui CHEN1,Xi-cheng LU1
Online:
2013-03-25
Published:
2017-07-20
Supported by:
Yong TANG,Jian-wei ZHUGE,Shu-hui CHEN,Xi-cheng LU. Automatic generating regular expression signatures for real network worms[J]. Journal on Communications, 2013, 34(3): 141-147.
"
方法 | 生成的特征 | 性能/s |
早期单个子串方法[ | ‘.ida?' or ‘%u7801’ | 18.5 |
子串序列方法 | GET /.*.ida?.*XX.*%u.*%u7801.*HTTP/1.0\r\n | 11 |
子串集合方法 | {‘.ida? ': 1, ‘%u780':1,‘HTTP/1.0\r\n':1,‘GET/': 1,‘%u': 2} | 12.5 |
简单正则表达式方法 | ‘GET/'.*‘.ida?'.*‘XX'[15]%u.*%u780.*=.[7]HTTP/1.0\r\n | 869 |
本文方法 | GET/.*.ida?.*XX.[15]%u.*%u780.*=(aaa|bbb|ccc)HTTP/1.0\r\n | 42 |
"
蠕虫名称 | 样本数量运行时间/ | 特征树节点数量 | 归并后的输出的正则表达式特征 | 假阳性 | 假阴性 |
virut.n | 31/719 | 6 | .*0x000x000x00.{1}0xffSMBr0x000x000x000x00(0x18S0xc80|0x080x01@)0x00{14}.{2}0x00.{3}0x00.{1}0x000x02PC NETWORK PROGRAM 1.*.00x000x02LANMAN1.0.*0x000x02LM1.2X002.*0x000x02NT LM 0.120x000x000x00.{2}0xffSM Bs0x000x000x000x00.{3}0x000x000x00.*0x00{9}.*0x000x000x00.*0x000x000x000x00.{1}0xff.*0x000x000x00.{3}0x00{7}.*0x000x000x000x00.*0x000x00.*0x010x00.* | 0 | 0 |
virut.as | 40/902 | 9 | 1.0x810x000x00H CKFDENECFDEFFCFGEFFC(CA){6}0x00 EMEPEDEBEMEIEPFDFE(CA){6}AA0x000x000x{5}.{1}0xffSMBr0x000x000x000x00.{3}0x00{14}.{2}0x00.{1}0x00.{1}0x00.{1}0x000x02PC NETWORKPROGRAM 1.*.00x000x02LANMAN1.0.*0x000x02LM1.2X002.*0x000x02NT LM .120x000x000x00.{2}0xffSMBs0x000x000x000x00.{3}0x000x000x00.*0x00{9}.*0x000x000x00.*0x000x000x000x00.{1}0xff.*0x000x000x00.{3}0x00{6}.*0x000x000x000x00.*0x000x00.*0x010x00.*"2. .*0x000x000x000xa80xffSMBr0x000x000x000x000x080x01@0x00{14}0x020x000x08.{2}0x000x850x000x02PCNETWORK PROGRAM 1.00x000x02MICROSOFT NETWORKS 1.030x00 SOFT NETWORKS 00x000x02LANMAN1.00x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LANMAN 1.00x000x02NT LM 0.120x000x000x000x00b0xffSM Bs0x000x000x000x000x080x01@0x00{14}0x020x000x08.{2}0x0d0xff0x000x000x000x00D0x020x000xfc0x090x00{12}0xf00x000x000x00%0x000x000x00Windows 2000 21950x00Windows 2000 5.00x000x000x000x00D0xffSMBu0x000x000x000x000x180x01 0x00{14}0x020x000x08.{2}0x040xff0x00{5}x010x000x190x000x00\\.*SMBSERVER\IPC$0x00?????0x000x000x000x00Y0xffSMB0xa20x000x000x000x000x180x01 0x00{12}0x08 0x020x000x08.{2}0x180xff0x000x000x000x000x050x000x160x00{7}x9f0x010x020x00{13}0x070x000x000x000x010x000x000x00@0x000x000x000x020x000x000x000x000x060x00\samr0x000x000x000x000x920xffSMB%0x000x000x000x000x180x01 0x000{13}x08 0x020x000x08.{2}0x100x000x00H0x000x000x040xe00xff0x00{12}J0x00H0x00J0x000x020x00&0x000x00@O0x00\PIPE\0x000x050x000x0b0x030x100x000x000x00H0x00{6}xd00x160xd00x160x000x000x000x000x010x00{5}x010x00j(0x1990x0c0xb10xd00x110x9b0xa80x000xc0O0xd9.0xf50x000x000x000x000x04]0x880x8a0xeb0x1c0xc90x110x9f0xe80x080x00+0x10H`0x020x00{5}x0c0xdf0xffSMB/0x000x000x000x000x180x01 0x00{13}0x08 0x020x000x08.{2}0x0e0xff0x000x000x000x00@0x000x000x000x000xff0xff0xff0xff0x080x000xa00x0c0x000x000xa00x0c?0x00{5}xa00x0c0x050x000x000x010x100x000x000x000xa00x0c0x00{6}x880x0c0x000x000x000x000x090x000xec0x030x00{6}xec0x030x000x000x90{160}0x810xc40xff0xef0xff0xffD0xeb0x020xebk0xe80xf90xff0xff fSUVW0x8bl$0x180x8bE<0x8bT(x0x030xd50x8bJ0x180x8bZ 0x030xdd0xe32I0x8b40x8b0x030xf530xff0xfc30xc00xac80xe0t0x070xc10xcf0x0d0x030xf80xeb0xf2;$0x14u0xe10x8bZ$0x030xddf0x8b0x0cK0x8bZ0x1c0x030xdd0x8b0x040x8b0x030xc50xeb0x0230xc0_.* | 0 | 0 |
rbot.bsz | 40/2160 | 1 | 0x810x000x00D KFDENECFDEFFCFGEFFC(CA){23}AA0x000x000x000x000x850xffSMBr0x000x000x000x000x18S0xc80x00{12}x0070x130x00{5}b0x000x02PC NETWORK PROGRAM 1.00x000x02LANMAN1.00x000x02Windows for Workgroups 3.1a0x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LM 0.120x000x000x000x100xbf0xffSMBs0x000x000x000x000x180x070xc80x00{12}x0070x130x000x000x000x000x0c0xff0x000x000x000x040x110x0a0x00{7}~0x100x000x000x000x000xd40x000x000x80~0x10`0x820x10z0x060x06+0x060x010x050x050x020xa00x820x10n00x820x10j0xa10x820x10f#0x820x10b0x030x820x040x010x00A{70} | 0 | 0 |
Sasser.d | 48/552 | 13 | 0x000x000x000x850xffSMBr0x000x000x000x000x18S0xc80x00{14}xff0xfe0x00{5}b0x000x02PC NETWORKPROGRAM 1.00x000x02LANMAN1.00x000x02Windows for Workgroups 3.1a0x000x02LM1.2X0020x000x02LANMAN2.10x000x02NT LM 0.120x000x000x000x000xa40xffSMBs0x000x000x000x000x180x070xc80x00{19}0x100x000x0c0xff0x000xa40x000x040x110x0a0x00{12}0x000xd40x000x000x80i0x00NTLMSSP0x000x010x000x000x000x970x820x080xe00x00{17}W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x000x0020x0010x0090x0050x000x000x00W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x00 0x0050x00.0x00{8}xda0xffSM Bs0x000x000x000x000x180x070xc80x00{14}xff0xfe0x000x08 0x000x0c0xff0x000xda0x000x040x110x0a0x00{7}x00W0x00{5}xd40x000x000x800x9f0x00NTLMSSP0x000x030x000x000x000x01 0x010x00F0x00{14}@0x00{7}@0x000x000x000x060x000x060x00@0x000x000x000x100x000x100x00G0x000x000x000x150x8a0x880xe0H0x00O0x00D0x000x000x810x19jz0xf20xe4I0x1c(0xaf0%t0x10gSW0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x000x0020x0010x0090x0050x000x000x00W0x00i0x00n0x00d0x00o0x00w0x00s0x00 0x0020x0000x0000x0000x00 0x0050x00.0x0000x00{8}[1]0xffSMBu0x000x000x000x000x180x070xc80x00{14}0xff0xfe0x000x0800x000x040xff0x00\0x000x080x000x010x00.{1}0x000x00\0x00\0x0010x0090x0020x00.0x0010x0060x0080x00.0x00.*0x00.*0x00.{1}0x00.{1}0x00\0x00i0x00p0x00c0x00$0x000x000x00?????0x000x000x000x00d0xffSMB0xa20x000x000x000x000x180x070xc80x00{13}x080xdc0x040x000x08@0x000x180xff0x000xde0xde0x000x0e0x 160x00{7}x9f0x010x020x00{13}x030x000x000x000x010x000x000x00@0x000x000x000x020x000x000x000x030x110x000x00\0x00l0x00s0x00a0x00r0x00p0x00c0x00{6}x9c0xffSMB%0x000x000x000x000x180x070xc80x00.{13}x080xdc0x040x000x08P0x000x100x000x00H0x000x000x000x000x040x00{12}x00T0x00H0x00T0x000x020x00&0x000x00@Y0x000x10\0x00P0x00I0x00P0x00E0x00\0x00{5}x050x000x0b0x030x100x000x000x00H0x000x000x000x010x000x000x000xb80x100xb80x100x000x000x000x000x010x00{5}0x010x00j(0x1990x0c0xb10xd00x110x9b0xa80x000xc0O0xd9.0xf50x000x000x000x000x04]0x880x8a0xeb0x1c0xc90x110x9f0xe80x080x00+0x10H`0x020x00{5}0x0c0xf40xffSM B%0x000x000x000x000x180x070xc80x00{13}0x080xdc0x040x000x08`0x000x100x000x000xa00x0c0x000x000x000x040x00{12}T0x000xa00x0cT0x000x020x00&0x000x00@0xb10x0c0x10\0x00P0x00I0x00P0x00E0x00\0x00{5}0x050x000x000x030x100x000x000x000xa00x0c0x000x000x010 x000x000x880x0c0x000x000x000x000x090x000xec0x030x00{6}xec0x03*0x900x900x900x900x900x900x900x900x90" | 0 | 0 |
[1] | FOGLAP , SHARIFM , PERDISCIR , et al. Polymorphic blending attacks[A]. Proceedings of the 15th Conference on USENIX Security Symposium[C]. Berkeley, CA, USA, 2006,17. |
[2] | GUNDYM V , BALZAROTTID , FIELDSCHEMAG V . Catch me, if you can: evading network signatures with Web-based polymorphic worms[A]. Proceedings of the First USENIX Workshop on Offensive Technologies (WOOT)[C]. Boston, MA,USA, 2007. |
[3] | 唐勇, 卢锡城, 王勇军 . 攻击特征自动提取技术综述[J]. 通信学报, 2009,30(2): 96-105. TANGY , LUX C , WANGY J . Survey of automatic attack s gnature generation[J]. Journal on Communications, 2009,30(2): 96-105. |
[4] | KREIBICHC , CROWCROFTJ . Honeycomb-creating intrusion detection signatures using honeypots[A]. Proceedings of the Second Workshop on Hot Topics in Networks (Hotnets II)[C]. Boston, 2003. 51-56. |
[5] | WANGK , CRETUG , STOLFOS J . Anomalous payload-based worm detection and signature generation[A]. Proceedings of Recent Ad-vances in Intrusion Detection (RAID)[C]. 2003. 227-246. |
[6] | SINGHS , ESTANC , VARGHESEG , et al. Automated worm finger-printing[A]. Proceedings of the 6th USENIX OSDI[C]. 2004. 45-60. |
[7] | KIMH A , KARPB . Autograph: toward automated, distribu worm signature detection[A]. Proceedings of USENIX Security Sympo-sium[C]. 2004. 271-286. |
[8] | SINGHS , ESTANC , VARGHESEG , et al. Automated worm finger-printing[A]. Proceedings of the 6th USENIX OSDI[C]. San Francisco, CA, 2004. 45-60. |
[9] | NEWSOMEJ , KARPB , SONGD . Polygraph: automatically generat-ing signatures for polymorphic worms[A]. Proceedings of IEEE Sym-posium on Security and Privacy[C]. Washington, DC, USA, 2005. 226-241. |
[10] | LIZ , SANGHIM , CHENY , et al. Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience[A]. Proceedings of IEEE Symposium on Security and Privacy[C]. Wash-ington, DC, USA, 2006. 32-47. |
[11] | YEGNESWARANV , GIFFINJ T , BARFORDP , et al. An architec-ture for generating semantics-aware signatures[A]. Proceedings of the 14th USENIX Security Symposium[C]. Baltimore, MD, USA, 2005. 97-112. |
[12] | 唐勇, 卢锡城, 胡华平 等. 基于多序列联配的攻击特征自动提取技术研究[J]. 计算机学报, 2006,29(9): 1533-1541. TANGY , LUX C , HUH P , et al. Automatic generation of attack sig-natures based on multi-sequence alignment[J]. Chinese Journal of computers, 2006,29(9): 1533-1541. |
[13] | TANGY , LUX , XIAOB . Generating simplified regular expression Signatures for polymorphic worms[A]. Proceedings of the 4th Interna-tional Conference on Autonomic and Trusted Computing (ATC-07)[C]. 2007. 478-488. |
[14] | TANGY , LUX , XIAOB . Using a bioinformatics approach to gener-ate accurate exploit-based signatures for polymorphic worms[J]. Comput, Secur, 2009. |
[15] | 诸葛建伟, 韩心慧, 周勇林 等. HoneyBow:一个基于高交互式蜜罐技术的恶意代码自动捕获器[J]. 通信学报, 2007,28(12): 8-13. ZHUGEJ W , HANX H , ZHOUY L , et al. HoneyBow:an automated malware collection tool based on the high-interaction honeypot prin-ciple[J]. Journal on Communications, 2007,28(12): 8-13. |
[16] | LIPPMANNR , HAINESJ W , FRIEDD J , et al. The 1999 DARPA off-line intrusion detection evaluation[J]. Comput, Networks, 2000,34(4): 579-595. |
[1] | Xin SUN, Guifu ZHANG, Hongyan XING, Wang Zenghui. Research on intrusion detection for maritime meteorological sensor network based on balancing generative adversarial network [J]. Journal on Communications, 2023, 44(4): 124-136. |
[2] | Yifeng WANG, Yuanbo GUO, Qingli CHEN, Chen FANG, Renhao LIN. Method based on contrastive learning for fine-grained unknown malicious traffic classification [J]. Journal on Communications, 2022, 43(10): 12-25. |
[3] | Qixu LIU, Junnan WANG, Jie YIN, Yanhui CHEN, Jiaxi LIU. Application of adversarial machine learning in network intrusion detection [J]. Journal on Communications, 2021, 42(11): 1-12. |
[4] | Youliang TIAN,Yulong WU,Qiuxian LI. Optimum response scheme of intrusion detection based on information theory [J]. Journal on Communications, 2020, 41(7): 121-130. |
[5] | Xinglan ZHANG,Shenglin YIN. Intrusion detection model of random attention capsule network based on variable fusion [J]. Journal on Communications, 2020, 41(11): 160-168. |
[6] | Wei SUN,Peng ZHANG,Yongquan HE,Lichao XING. Attack detection method based on spatiotemporal event correlation in intranet environment [J]. Journal on Communications, 2020, 41(1): 33-41. |
[7] | Hanxun ZHOU,Chen CHEN,Runze FENG,Junkun XIONG,Hong PAN,Wei GUO. Mobile malware traffic detection approach based on value-derivative GRU [J]. Journal on Communications, 2020, 41(1): 102-113. |
[8] | HU Jianwei,CHE Xin,ZHOU Man,CUI Yanpeng. Incremental clustering method based on Gaussian mixture model to identify malware family [J]. Journal on Communications, 2019, 40(6): 148-159. |
[9] | Yuan XU,Chao YANG,Li YANG. Single password authentication method for remote user based on mobile terminal assistance [J]. Journal on Communications, 2019, 40(2): 174-187. |
[10] | Zhen ZHANG,Peng WEI,Yufeng LI,Julong LAN,Ping XU,Bo CHEN. Feature selection algorithm based on improved particle swarm joint taboo search [J]. Journal on Communications, 2018, 39(12): 60-68. |
[11] | Yashu LIU,Zhihai WANG,Hanbing YAN,Yueran HOU,Yukun LAI. Method of anti-confusion texture feature descriptor for malware images [J]. Journal on Communications, 2018, 39(11): 44-53. |
[12] | Bo CHEN,Yong-tao PAN,Tie-ming CHEN. Android malware detection method based on SimHash [J]. Journal on Communications, 2017, 38(Z2): 30-36. |
[13] | Bing-lin ZHAO,Xi MENG,Jin HAN,Jing WANG,Fu-dong LIU. Homology analysis of malware based on graph [J]. Journal on Communications, 2017, 38(Z2): 86-93. |
[14] | Hong-yu YANG,Jin XU. Android malware detection based on improved random forest [J]. Journal on Communications, 2017, 38(4): 8-16. |
[15] | Ying-xu LAI,Zeng-hui LIU,Xiao-tian CAI,Kai-xiang YANG. Research on intrusion detection of industrial control system [J]. Journal on Communications, 2017, 38(2): 143-156. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||
|