• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations | Disambiguate

DMCA

Polygraph: Automatically generating signatures for polymorphic worms (2005)

Cached

  • Download as a PDF

Download Links

  • [jimnewsome.net]
  • [www.cs.cmu.edu]
  • [www-2.cs.cmu.edu]
  • [www.cs.ucl.ac.uk]
  • [www0.cs.ucl.ac.uk]
  • [repository.cmu.edu]
  • [www.cs.berkeley.edu]
  • [www.cs.utsa.edu]
  • [www.ece.cmu.edu]
  • [sparrow.ece.cmu.edu]
  • [www.icir.org]
  • [users.ece.cmu.edu]
  • [intelli-sec.cs.berkeley.edu]
  • [cs.northwestern.edu]
  • [www.thc.org]
  • [www.cs.vu.nl]
  • [www.cs.northwestern.edu]
  • [sparrow.ece.cmu.edu]
  • [sharif.edu]
  • [cs.northwestern.edu]
  • [www.cs.northwestern.edu]
  • [users.ece.cmu.edu]

    • Other Repositories/Bibliography

  • DBLP
  • Save to List
  • Add to Collection
  • Correct Errors
  • Monitor Changes
by James Newsome
Venue:In Proceedings of the IEEE Symposium on Security and Privacy
Citations:274 - 17 self
  • Summary
  • Citations
  • Active Bibliography
  • Co-citation
  • Clustered Documents
  • Version History

BibTeX

@INPROCEEDINGS{Newsome05polygraph:automatically,
    author = {James Newsome},
    title = {Polygraph: Automatically generating signatures for polymorphic worms},
    booktitle = {In Proceedings of the IEEE Symposium on Security and Privacy},
    year = {2005},
    pages = {226--241}
}

Share

Facebook Twitter Reddit Bibsonomy

OpenURL

 

Abstract

It is widely believed that content-signature-based intrusion detection systems (IDSes) are easily evaded by polymorphic worms, which vary their payload on every infection attempt. In this paper, we present Polygraph, a signature generation system that successfully produces signatures that match polymorphic worms. Polygraph generates signatures that consist of multiple disjoint content substrings. In doing so, Polygraph leverages our insight that for a real-world exploit to function properly, multiple invariant substrings must often be present in all variants of a payload; these substrings typically correspond to protocol framing, return addresses, and in some cases, poorly obfuscated code. We contribute a definition of the polymorphic signature generation problem; propose classes of signature suited for matching polymorphic worm payloads; and present algorithms for automatic generation of signatures in these classes. Our evaluation of these algorithms on a range of polymorphic worms demonstrates that Polygraph produces signatures for polymorphic worms that exhibit low false negatives and false positives. 1.

Keyphrases

polymorphic worm    signature generation system    return address    low false negative    false positive    infection attempt    present algorithm    content-signature-based intrusion detection system    automatic generation    polymorphic worm payload    real-world exploit    polymorphic signature generation problem    propose class    multiple invariant substring    multiple disjoint content substring   

Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University