|
Improve the expressiveness of signature models for polymorphic worms.
We investigate the limitation of signature models of current polymorhpic worm signature generators. These generators assume that worm traffic must contain tokens that are rarely present in innocuous traffic, and therefore their worm signatures are based on these tokens. However, we discovered a new class of vulnerabilities, the feature omission vulnerabilities, that happens when certain features are missing from the input data. Using such a vulnerability in the real world, we demonstrated that an attack can create polymorphic worms that popular worm signature generators cannot create effective signatures for.
We are extending worm signature models to be capable of expressing feature omission vulnerabilities, and are creating systems for automatically generating such signatures for polymorphic worms. Such signatures would improve the Innate Response component of Helix, allowing it to detect a broader class of polymorphic worms and to reduce its false positive and false negative rates. Related Publications
|
