It is widely believed that content-signature-based intrusion detection systems (IDSes) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives. 1.

Heap and stack buffer overflows are still among the most common attack vectors in intrusion attempts. In this paper, we ask a simple question that is surprisingly difficult to answer: which bytes contributed to the overflow? By careful observation of all scenarios that may occur in overflows, we identified the information that needs to be tracked to pinpoint the offending bytes. There are many reasons why this is a hard problem. For instance, by the time an overflow is detected some of the bytes may already have been overwritten, creating gaps. Additionally, it is hard to tell the offending bytes apart from unrelated network data. In our solution, we tag data from the network with an age stamp whenever it is written to a buffer. Doing so allows us to distinguish between different bytes and ignore gaps, and provide precise analysis of the offending bytes. By tracing these bytes to protocol fields, we obtain accurate signatures that cater to polymorphic attacks.

age stamps

Abstract. Paradoxically, encryption makes it hard to detect, fingerprint and stop exploits. We describe Hassle, a honeypot capable of detecting and fingerprinting monomorphic and polymorphic attacks on encrypted channels. It uses dynamic taint analysis in an emulator to detect attacks, and it tags each tainted byte in memory with a pointer to its origin in the corresponding network trace. Upon detecting an attack, we correlate tainted memory blocks with the network trace to generate various types of signature. As correlation with encrypted data is difficult, we retaint data on encrypted connections, making tags point to decrypted data instead.

Polymorphic worms are self-replicating malware that change their representation as they spread throughout networks in order to evade worm detection systems. A number of approaches to detect polymorphic worms have been proposed. These approaches use samples of a polymorphic worm (and of benign traffic as well) to derive a signature that can detect all instances of the worm without producing excessive false positives. Even though these systems claim to be able to generate signatures for any type of worm, all the examples that are used to show the ability to detect polymorphic worms are based on exploits that target memory corruption vulnerabilities. In this paper, we show how a different class of worms, namely those based on web vulnerabilities and scripting languages, can be much harder to detect than “traditional ” polymorphic worms. We developed a polymorphic engine for PHP code and we tested the ability of state-of-the-art tools to detect this type of worm. The results of our experiments show that a PHP-based polymorphic worm would be able to successfully evade existing signature generation systems.

Abstract. A major challenge in securing end-user systems is the risk of popular applications being hijacked at run-time. Traditional measures do not prevent such threats because the code itself is unmodified and local anomaly detectors are difficult to tune for correct thresholds due to insufficient training data. Given that the target of attackers are often popular applications for communication and social networking, we propose Ensemble, a novel, automated approach based on a trusted community of users contributing system-call level local behavioral profiles of their applications to a global profile merging engine. The trust can be assumed in cases such as enterprise environments and can be further policed by reputation systems, e.g., by exploiting trust relationships inherently associated with social networks. The generated global profile can be used by all community users for local anomaly detection or prevention. Evaluation results based on a malware pool of 57 exploits demonstrate that Ensemble is an effective defense technique for communities of about 300 or more users as in enterprise environments. 1