120 likes | 230 Views
An Automated Signature Generation Approach for Polymorphic Worm Based on Color Coding. Jie Wang; Jianxin Wang; Jianer Chen; Xi Zhang; IEEE International Conference on Communications, 2009. ICC '09. Reporter: Luo Sheng-Yuan 2009/11/12. Outline. Introduction Related Work Proposed Scheme
E N D
An Automated Signature Generation Approach for Polymorphic Worm Based on Color Coding Jie Wang; Jianxin Wang; Jianer Chen; Xi Zhang; IEEE International Conference on Communications, 2009. ICC '09. Reporter: Luo Sheng-Yuan 2009/11/12
Outline • Introduction • Related Work • Proposed Scheme • Experiments Result • Conclusion
Introduction • Previous approaches can generate signature for worm without noise disturbance, but they all have trouble in generating worm signature with noise.
Related Work • Polygraph’s Scheme • Token Signature
Related Work • Polygraph’s Scheme • Token-subsequence Signature • consists of ordered list of tokens • Conjunction Signature • consists of an unordered set of tokens • Bayes Signature • consists of a set of tokens, each token is associated with a score
Proposed Scheme • Color Coding • 5 items, 4 colors • There must be 2 items with same color.
Proposed Scheme • CCSF(Color Coding Signature Finding) • Divides n sequences into m groups and each group contains 20 sequences. Suspicious Pool (n sequence) ……………………………… 20 20 20 20
Proposed Scheme • CCSF • Color Coding
Proposed Scheme • CCFS • Extracts Common Substrings(Tokens) Sequence1 H e l l o W o r l d Sequence2 H e l l o h W o r l d r u 1 scan 2 scan Sequencek H e l l o t W o r l d h
Experiments Result • Signature generation with some noise sequences. • Correct Signature
Experiments Result • Signature generation with some noise sequences. • Accurate Signature
Conclusion • CCSF is able to generate signatures automatically for polymorphic worms in the environments with noise. • In this paper, only one worm type of a suspicious flow pool is considered in CCSF.