Network-based and Attack- resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1 , Lanjia Wang 2 , Yan Chen 1 and Judy Fu 3 1 Lab for Internet and Security Technology (LIST), Northwe stern Univ. 2 Tsinghua University, China 3 Motorola Labs, USA
25
Embed
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms. Zhichun Li 1 , Lanjia Wang 2 , Yan Chen 1 and Judy Fu 3. 1 Lab for Internet and Security Technology (LIST), Northwestern Univ. 2 Tsinghua University, China 3 Motorola Labs, USA. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms
Zhichun Li1, Lanjia Wang2, Yan Chen1 and Judy Fu3
1 Lab for Internet and Security Technology (LIST), Northwestern Univ.
2 Tsinghua University, China
3 Motorola Labs, USA
2
The Spread of Sapphire/Slammer Worms
3
Limitations of Exploit Based Signature
1010101
10111101
11111100
00010111
Our network
Traffic Filtering
Internet
Signature: 10.*01
XX
Polymorphic worm might not have exact exploit based signature
Polymorphism!
4
Vulnerability Signature
Work for polymorphic wormsWork for all the worms which target thesame vulnerability
• At the early stage of the worm, only limited worm samples.
• Host based sensors can only cover limited IP space, which might have scalability issues.
Gateway routersInternet
Our network
Host baseddetection
Early Detection!
6
Design Space and Related Work
• Most host approaches depend on lots of host information, such as source/binary code of the vulnerable program, vulnerability condition, execution traces, etc.
[Polygraph-SSP05][Hamsa-SSP06][PADS-INFOCOM05]
[CFG-RAID05]
[Nemean-Security05]
[DOCODA-CCS05]
[TaintCheck-NDSS05]
LESG (this paper)
[Vulsig-SSP06]
[Vigilante-SOSP05]
[COVERS-CCS05]
[ShieldGen-SSP07]
Vulnerability Based
Exploit Based
Network Based Host Based
7
Outline
• Motivation and Related Work
• Design of LESG
• Problem Statement
• Three Stage Algorithm
• Attack Resilience Analysis
• Evaluation
• Conclusions
8
Basic Ideas
• At least 75% vulnerabilities are due to buffer overflow
• Intrinsic to buffer overflow vulnerability and hard to evade
• However, there could be thousands of fields to select the optimal field set is hard