POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms

1
POLYGRAPH Automatically Generating
Signatures for Polymorphic Worms

• Authors James Newsome, Brad Karp, Dawn Song
• PUBLICATION IEEE Security and Privacy Symposium,
  May 2005
• CLASS PRESENTATION BY Anvita Priyam

2
POLYGRAPH

• Intrusion Detection Systems(IDS)
• gt Monitor networking traffic for
  suspicious
• activity
• gt Alert the system or
  administrator
• gt May block user or source IP
• Signature based IDS
• gt monitors packets on the n/w
  compares them
• against database of
  signatures
• gt lag in case of a new threat

3
POLYGRAPH

• Currently Used Techniques By IDS
• gt string matching at arbitrary
  payload offsets
• gt string matching at fixed
  payload offsets
• gt matching of regular
  expressions within a
• flows payload
  

4
POLYGRAPH

• Polymorphic Worm
• gt changes its appearance with every
  instance
• gt byte sequences of worm
  instances vary
• gt code remains the same
• Mechanism
• gt encrypt the code with a random key
• gt generate a short decryptor(PD)
  
• gt PD and the key keep changing

5
POLYGRAPH

• Motivation for automating signatures
• gt earlier, signatures were
  generated
• manually
• gt slow paced

6
POLYGRAPH

• Polygraph comes into picture
• gt signatures consist of multiple disjoint
  content
• substring
• gt substrings protocol framing, return
  addresses,
• poorly obfuscated code
• gt often present in all variants of a
  payload
• PS It does not consider single substring
  signature

7
POLYGRAPH

• Underlying Assumption
• gt possible to generate signatures
  automatically that
• match the many variants of PW
• gt offer low false positives and low
  false negatives
• BASIS
• gt share invariant content as they exploit
  same
• vulnerability

8
POLYGRAPH

• Sources of Invariant Content
• gt Exploit Framing( e.g., reserved
  keywords,
• binary constants that are part
  of wire protocol)
• gt Exploit Payload

9
POLYGRAPH

• Signature Classes for PW
• gt Conjunction Signatures
• gt Token Subsequence Signature
• gt Bayes Signature

10
POLYGRAPH

• Conjunction Signatures
• gt signature consists of a set of
  tokens
• gt all the tokens must match
• gt order of matching is not
  particular

11
POLYGRAPH

• Token-subsequence Signatures
• gt consists of ordered set of tokens
• gt identical ordering is required
  for a match
• gt can be easily expressed as
  regular expressions
• gt more specific compared to
  conjunction signature

12
POLYGRAPH

• Bayes Signature
• gt associated with a score and an
  overall threshold
• gt instead of exact matching it
  provides probabilistic
• matching
• gt construction and matching is less
  rigid

13
POLYGRAPH

• ARCHITECTURE

Suspicious Flow Pool
PSG
Flow classifier
N/W tap
Innocuous Flow Pool
Signature Evaluator
14
POLYGRAPH

• Design Goals
• gt Signature quality
• gt Efficient signature generation
• gt Efficient signature matching
• gt Generation of small signature
  sets
• gt Robustness against noise and
  multiple worms
• gt Robustness against evasion and
  subversion

15
POLYGRAPH

• Signature Generation Algorithms
• gt Pre-processing Token extraction
• gt first step to eliminate
  irrelevant parts
• gt extract all distinct
  substrings of min length
• gt Generating single signatures
• gt for conjunction signature
  just use token
• extraction, signature is
  this set of tokens
• gt for token subsequence
  signature find a
• subsequence of tokens that
  is present in
• sample. Iteratively apply
  string alignment

16
POLYGRAPH

• Signature Generation Algo( contd)
• gt for bayes signature
• gt choose set of tokens
• gt calculate empirical
  probability of occurrence
• gt each token is then assigned
  a score
• gt if greater than threshold
  classified as worm

17
POLYGRAPH

• Generating Multiple Signatures
• gt Bayes signature remains unmodified
• gt Token subsequence and conjunction
  algos
• require clustering

18
POLYGRAPH

• Experimental Results
• gt Single Polymorphic worm
• gt Apache-Knacker Exploit
• gt Conjunction signatures( .0024
  False,0 False-)
• gt Token-subsequence(.0008 False,0
  False-)
• gt Bayes signatures(.008 False,0
  False-)
• gt BIND-TSIG Exploit
• gt Conjunction signatures(0 False
  False-)
• gt Token-Subsequence(0 False
  False-)
• gt Bayes Signatures(.0023 False,0
  False-)

19
POLYGRAPH

• Experimental Results (contd)
• gt Single polymorphic worm noise
• gt conjunction token subsequence
  signatures remain
• the same
• gt Bayes signatures are not affected by
  noise until it
• grows beyond 80
• gt Multiple polymorphic worms noise
• gt conjunction token subsequence
  signatures are
• generated for each type of worm.
• gt only one bayes signature is
  generated that matches
• all the worms.

20
POLYGRAPH

• CONCLUSION
• gt content based filtering holds great
  promise for
• tackling PW
• gt Polygraph automatically derives
  signatures for PW
• gt It generates high quality signatures
  even in the
• presence of multiple flows and noise
• gt rumors of demise of content based
  filtering is
• exaggerated

21
POLYGRAPH

• WEAKNESS
• gt very little insight into how PWs function
• gt payload invariance assumptions are naïve
• gt no clear reference to situational
  applications of
• signature generation algorithms

22
POLYGRAPH

• SUGGESTIONS
• gt should be more informative on initial
  topics
• gt a wider range of studies required