swMATH ID: 23932
Software Authors: Newsome, J., Karp, B., Song, D.
Description: Polygraph: automatically generating signatures for polymorphic worms. It is widely believed that content-signature-based intrusion detection systems (IDS) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives.
Homepage: https://ieeexplore.ieee.org/document/1425070/
Related Software: Autograph; Hamsa; Snort; Panorama; KEA; FIRMA; VAMO; ExecScent; BitShred; PhishEye; BotProfiler; BotTokenizer; BotMiner; BotSniffer; pytbull; RRE; Valgrind; TCPDUMP; SpamBayes; robustbase
Cited in: 4 Documents

Cited in 1 Serial

3 Machine Learning

Citations by Year