Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms

Miami Beach, Florida, USA December 10-December 14

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/ACSAC.2007.42

Twenty-Third Annual Computer Security ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Matthew Van Gundy Articles by Hao Chen Articles by Zhendong Su Articles by Giovanni Vigna

	ASCII Text	x
	Matthew Van Gundy, Hao Chen, Zhendong Su, Giovanni Vigna, "Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms," Computer Security Applications Conference, Annual, pp. 74-85, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007.

	BibTex	x
	@article{ 10.1109/ACSAC.2007.42, author = {Matthew Van Gundy and Hao Chen and Zhendong Su and Giovanni Vigna}, title = {Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2007}, issn = {1063-9527}, pages = {74-85}, doi = {http://doi.ieeecomputersociety.org/10.1109/ACSAC.2007.42}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms SN - 1063-9527 SP74 EP85 A1 - Matthew Van Gundy, A1 - Hao Chen, A1 - Zhendong Su, A1 - Giovanni Vigna, PY - 2007 VL - 0 JA - Computer Security Applications Conference, Annual ER -

To combat the rapid infection rate of today's Internet worms, signatures for novel worms must be generated soon after an outbreak. This is especially critical in the case of polymorphic worms, whose binary representa- tion changes frequently during the infection process. In this paper, we examine the assumptions under- lying two leading network-based signature generation systems for polymorphic worms: Polygraph [14] and Hamsa [12]. By identifying an assumption of both sys- tems not met by all vulnerabilities, we discover a class of vulnerabilities (feature omission vulnerabilities) that neither system can accurately characterize. We demon- strate the limitations of Polygraph and Hamsa by testing the signatures that they generate for exploits targeting a feature omission vulnerability. We discuss why feature omission vulnerabilities are difficult to characterize and how increased semantic awareness can help the signa- ture generation process.

Citation:

Matthew Van Gundy, Hao Chen, Zhendong Su, Giovanni Vigna, "Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms," acsac, pp.74-85, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007), 2007

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.