Polymorphic蠕虫特征自动提取模型及算法研究
|
摘要
互联网的广泛应用和普及,网络安全成为人们关注的重点。网络蠕虫由于其传播的广泛性和危害的严重性,成为网络安全的热点问题之一。
Polymorphic蠕虫由于变形技术的引入,蠕虫特征的提取、表示与传统蠕虫有了很大的不同,对基于特征的蠕虫检测系统(如IDS)误报率和漏报率方面提出了新的挑战。如何快速有效的提取Polymorphic蠕虫特征,是入侵检测中特征提取领域的一个重要的研究方向。
论文在对Polymorphic蠕虫攻击行为分析的基础上,提出了Polymorphic蠕虫特征自动提取模型,讨论了特征提取算法,阐述了特征的表示方式及检测算法,设计实现基于该模型和算法的原型系统,并对该模型和算法的有效性进行验证。
本文的主要工作和贡献包括:
(1)采用Smith Waterman算法进行特征提取,通过对多个可疑Polymorphic蠕虫流量进行序列比对,自动提取它们的最长公共子序列,结果用频率和概率两种形式的向量表示。
(2)采用相似度度量的检测方法,利用已提取的特征向量,判别新到来的Polymorphic蠕虫流量所属的类别,这种检测方法使得特征不必完全匹配,检测的准确率提高,提取特征时所需的样本空间减小。
(3)将序列比对算法Normalized Local Alignment算法用于Polymorphic蠕虫的特征提取,该算法使得提取特征时所需的样本空间进一步减小,提取的特征在检测时准确率进一步提高,提取的特征是多个蠕虫流量进行序列比对得到的最高相似度公共子序列。
(4)实现了一个原型系统,从误报率和漏报率方面检验Smith Waterman算法和NormalizedLocal Alignment算法提取特征的有效性,Normalized Local Alignment算法相对于SmithWaterman算法的优越性以及相似度度量检测方法的可行性。
Research in this paper is supported by National Natural Science Foundation project "Network Camouflaging Cooperative Security Model Research" of China that the grant number is 60503008.
With the extensive application and popularization of internet,network security has become the focus of the public.Especially,internet worms have come to be one of the hottest topics in the network security because of their widely propagation and grievous defameation.
With the induced of many metamorphic techniques of polymorphic worm,the extraction and presentation of the polymorphic worm signatures are different from the traditional methods,which is a new challenge to the worm detection system(e.g.,IDS) that based signature in false positive and false negative.So how to generate the signature of polymorphic worms speedily and effectively is very important in the research area of the signature generation in IDS.
In this paper,firstly,an automatic signature generation model is built through attack behavior analysis on polymorphic worms.Secondly,automatic signature generation algorithm for polymorphic worms is discussed.And,the presentation of the signature and the detection algorithm are expounded.Thirdly,a prototype system based on the automatic signature generation model and algorithm is designed and implemented.Finally,the effectiveness of the automatic signature generation model and algorithm is tested and evaluated by several experiments.
The main work and contributions of this paper include following issues:
(1) The signature generated by the Smith Waterman algorithm in this paper is based on pattern and represented in two vector styles(frequency and probability),which is the longest common subsequence generated by sequence comparison of several suspicious polymorphic worm flows.
(2) To classify the new incoming polymorphic worm flows by the signature vector and detection method of the Similarity Metric.Through this method,the signature generated in this paper does not have to match completely,but the detection accurate rate is increasing while the sample space is decreasing.
(3) To generate the attack signature of polymorphic worm by the Normalized Local Alignment algorithm,which could increase the detection accurate rate further and decrease the sample space further.The signature generated by the Normalized Local Alignment algorithm is the common subsequence with maximum degree of similarity generated by sequence comparison of several polymorphic worm flows.
(4) A prototype system based on the automatic signature generation model and algorithm is implemented in this paper.To evaluate the effect of the signature generation algorithm and the feasibility of the detection method of the Similarity Metric in false positive and false negative,and to verify the superiority of the Normalized Local Alignment algorithm over the Smith Waterman algorithm.
Polymorphic蠕虫由于变形技术的引入,蠕虫特征的提取、表示与传统蠕虫有了很大的不同,对基于特征的蠕虫检测系统(如IDS)误报率和漏报率方面提出了新的挑战。如何快速有效的提取Polymorphic蠕虫特征,是入侵检测中特征提取领域的一个重要的研究方向。
论文在对Polymorphic蠕虫攻击行为分析的基础上,提出了Polymorphic蠕虫特征自动提取模型,讨论了特征提取算法,阐述了特征的表示方式及检测算法,设计实现基于该模型和算法的原型系统,并对该模型和算法的有效性进行验证。
本文的主要工作和贡献包括:
(1)采用Smith Waterman算法进行特征提取,通过对多个可疑Polymorphic蠕虫流量进行序列比对,自动提取它们的最长公共子序列,结果用频率和概率两种形式的向量表示。
(2)采用相似度度量的检测方法,利用已提取的特征向量,判别新到来的Polymorphic蠕虫流量所属的类别,这种检测方法使得特征不必完全匹配,检测的准确率提高,提取特征时所需的样本空间减小。
(3)将序列比对算法Normalized Local Alignment算法用于Polymorphic蠕虫的特征提取,该算法使得提取特征时所需的样本空间进一步减小,提取的特征在检测时准确率进一步提高,提取的特征是多个蠕虫流量进行序列比对得到的最高相似度公共子序列。
(4)实现了一个原型系统,从误报率和漏报率方面检验Smith Waterman算法和NormalizedLocal Alignment算法提取特征的有效性,Normalized Local Alignment算法相对于SmithWaterman算法的优越性以及相似度度量检测方法的可行性。
Research in this paper is supported by National Natural Science Foundation project "Network Camouflaging Cooperative Security Model Research" of China that the grant number is 60503008.
With the extensive application and popularization of internet,network security has become the focus of the public.Especially,internet worms have come to be one of the hottest topics in the network security because of their widely propagation and grievous defameation.
With the induced of many metamorphic techniques of polymorphic worm,the extraction and presentation of the polymorphic worm signatures are different from the traditional methods,which is a new challenge to the worm detection system(e.g.,IDS) that based signature in false positive and false negative.So how to generate the signature of polymorphic worms speedily and effectively is very important in the research area of the signature generation in IDS.
In this paper,firstly,an automatic signature generation model is built through attack behavior analysis on polymorphic worms.Secondly,automatic signature generation algorithm for polymorphic worms is discussed.And,the presentation of the signature and the detection algorithm are expounded.Thirdly,a prototype system based on the automatic signature generation model and algorithm is designed and implemented.Finally,the effectiveness of the automatic signature generation model and algorithm is tested and evaluated by several experiments.
The main work and contributions of this paper include following issues:
(1) The signature generated by the Smith Waterman algorithm in this paper is based on pattern and represented in two vector styles(frequency and probability),which is the longest common subsequence generated by sequence comparison of several suspicious polymorphic worm flows.
(2) To classify the new incoming polymorphic worm flows by the signature vector and detection method of the Similarity Metric.Through this method,the signature generated in this paper does not have to match completely,but the detection accurate rate is increasing while the sample space is decreasing.
(3) To generate the attack signature of polymorphic worm by the Normalized Local Alignment algorithm,which could increase the detection accurate rate further and decrease the sample space further.The signature generated by the Normalized Local Alignment algorithm is the common subsequence with maximum degree of similarity generated by sequence comparison of several polymorphic worm flows.
(4) A prototype system based on the automatic signature generation model and algorithm is implemented in this paper.To evaluate the effect of the signature generation algorithm and the feasibility of the detection method of the Similarity Metric in false positive and false negative,and to verify the superiority of the Normalized Local Alignment algorithm over the Smith Waterman algorithm.
引文
[1]李德全著.拒绝服务攻击[M].电子工业出版社
[2]T.Smith and M.Waterman.Identification of common molecular subsequences[J].Journal of Molecular Biology,147:195-197,1981.
[3]Abdullah N.Arslan,(O|¨)mer Egecioglu and Pavel A.Pevzner.A new approach to sequence comparison:normalized sequence alignment[J].Bioinformatics 17:327-337
[4]J.Newsome,B.Karp,and D.song.Polygraph:Automatically generating signatures for Polymorphic worms[C].In IEEE Security and Privacy Symposium,2005,226-241
[5]徐晓萌,郭山清,徐秋亮.多态蠕虫的研究与进展[J],计算机科学与探索,2008,2(2)
[6]K.Wang and S.Stolfo.Anomalous payload-based network intrusion detection[C].In RAID,2004,201-222.
[7]V.Yegneswaran,J.Giffin,P.Barford,and S.Jha.An architecture for generating semantic-aware signatures[C].In USENIX Security Symposium,2005
[8]J.Newsome and D.Song.Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[C].In Proc.of the 12th Annual Network and Distributed System Security Symposium(NDSS),2005
[9]M.Costa,J.Crowcroft,M.Castro,A.Rowstron,L.Zhou,L.Zhang and P.Barham.Vigilante:End-to-end containment of internet worms[C].In Proc.of the 20th ACM Symposium on Operating Systems Principles(SOSP),Brighton,UK,October 2005.
[10]J.R.Crandall,Z.Su,and S.F.Wu.On deriving unknown vulnerabilities from zero-day Polymorphic and metamorphic worm exploits[C].In Proc.of ACM CCS,pages 235-248,2005.
[11]Z.Liang and R.Sekar.Fast and automated generation of attack signatures:A basis for building self-protecting servers[C].In Proc.ACM CCS,pages 213-223,Alexandria,VA,USA,November 2005.
[12]Asia Slowinska,Georgios Portokalidis,and Herbert Bos.Prospector:a protocol-specific detector of Polymorphic buffer overflows[R].Technical Report IR-CS-023[note:superceded by TR IR-CS-031].Vrige Universiteit Amsterdam.June 2006
[13]H.-A.Kim and B.Karp.Autograph:toward automated,distributed worm signature detection[C]In Proceedings of the 13th USENIX Security Symposium,August 2004,271-286.
[14]S.Singh,C.Estan,G.Varghese,and S.Savage.Automated worm fingerprinting[C].In proceedings of the 6th ACM/USENIX Symposium on Operating System design and Implementation(OSDI),Dec.2004,45-60.
[15]康重庆,白利超,夏清,赵儆,相年德.序列运算的扩展及其数字特征[J],电力系统自动化,2003,27(13):5-9
[16]Alok Sharma,Arun K.Pujari,Kuldip K.Paliwal.Intrusion detection using text processing techniques with a kernel based similarity measure[J].Computers & Security 26(2007):488-495
[17]钟珞,潘昊等著.模式识别[M].湖北:武汉大学出版社.2006.9:89-91
[18]Pang-Ning Tan Michael Steinbach Vipin Kumar著.数据挖掘导论[M].范明,范宏建等译.北京:人民邮电出版社.2006.5:43-45
[19]李晓冬,李毅超.基于漏洞的蠕虫特征自动提取技术研究[J],计算机应用,2008,28(3)
[20]C.Kreibich and J.Crowcroft.Honeycomb-Creating intrusion detection signatures using honeypots[C].In Proceedings of the Second Workshop on Hot Topics in Networks(HotNets-Ⅱ),November 2003,51-56.
[21]Lance Spitzner著.Honeypots:追踪黑客[M].邓云佳译.清华大学出版社 2004.9
[22]Pascal Gamper.Towards automated exploit signature generation using honeypots.Master's thesis,Swiss Federal Institute of Technology(ETH) Zurich,September 2007
[23]Z.Li,M.Sanghi,Y.Chen,M.-Y.Kao,and B.Chavez.Hamsa:Fast signature generation for zero-day Polymorphic worms with provable attack resilience[C].In IEEE Symposium on Security and Privacy,Oakland,CA,May 2006
[24]CodeRedⅡ源代码及代码分析 http://www.eeye.com/html/advisories/coderedⅡ.zip
[25]CodeRedⅡ代码分析http://www.infosecurity.org.cn/article/virusanly/6949.html
[26]Dae-Ki Kang,Doug Fuller,Vasant Honavar.Learning Classifiers for Misuse and Anomaly Detection Using a Bag of System Calls Representation.Information Security and Intrusion Detection,2005.
[27]David Dagon,Xinzhou Qin,Guofei Gu.HoneyStat:Local Worm Detection Using Honeypots[C].Proceedings of Recent Advances In Intrusion Detection(RAID),Springer-Verlag,2004.39-58.
[28]Portokalidis,G.,& Bos,H.(2007).SweetBait:zero-hour worm detection and containment using low and high-interaction honeypots.Computer Networks 51(5),1256-1274.
[29]Yegneswaran V.,Giffin J.,Barford P.,J ha S..An architecture for generating semantics-aware signatures.In Proceedings of the USENIX Security,Baltimore,MD,2005,97-112
[30]Tang Y.,Chen S..Defending against Internet worms:A signature-based approach.In Proceedings of the INFOCOM,Miami,Florida,2005,1384-1394
[31]Needleman S.B.,Wunsch C.D..A general method applicable to the search for similarities in the amino acid sequence of two proteins.Journal of Molecular Biology,1970,48(3):443-453
[32]Arslan,A.N.,(O|¨)mer Egecioglu.2002.Approximation algorithms for local alignment with length constraints.Internat.J.Foundations Comput.Sci.13 751-767.
[33]Rolf Backofen,Danny Hermelin,Gad M.Landau,Oren Weimann:Local Alignment of RNA Sequences with Arbitrary Scoring Schemes.CPM 2006:246-257
[34]Craven,B.D.1988.Fractional Programming.Helderman Verlag,Berlin,Germany.
[35]网络伪装.网络安全.http://www.camonet.org/
[36]Ethereal.http://www.ethereal.com
[37]Honeyd.http://www.honeyd.org
[38]PackETH.http://packeth.sourceforge.net
[39]Flowreplay.http://tcpreplay.synfin.net/trac/wiki/flowreplay
[40]VMWare.http://www.vmware.com
[41]Python.http://www.python.org/
[42]模式匹配.http://www.cs.ucr.edu/~stelo/cpm/
[43]Snort.http://www.snort.org
[2]T.Smith and M.Waterman.Identification of common molecular subsequences[J].Journal of Molecular Biology,147:195-197,1981.
[3]Abdullah N.Arslan,(O|¨)mer Egecioglu and Pavel A.Pevzner.A new approach to sequence comparison:normalized sequence alignment[J].Bioinformatics 17:327-337
[4]J.Newsome,B.Karp,and D.song.Polygraph:Automatically generating signatures for Polymorphic worms[C].In IEEE Security and Privacy Symposium,2005,226-241
[5]徐晓萌,郭山清,徐秋亮.多态蠕虫的研究与进展[J],计算机科学与探索,2008,2(2)
[6]K.Wang and S.Stolfo.Anomalous payload-based network intrusion detection[C].In RAID,2004,201-222.
[7]V.Yegneswaran,J.Giffin,P.Barford,and S.Jha.An architecture for generating semantic-aware signatures[C].In USENIX Security Symposium,2005
[8]J.Newsome and D.Song.Dynamic taint analysis for automatic detection,analysis,and signature generation of exploits on commodity software[C].In Proc.of the 12th Annual Network and Distributed System Security Symposium(NDSS),2005
[9]M.Costa,J.Crowcroft,M.Castro,A.Rowstron,L.Zhou,L.Zhang and P.Barham.Vigilante:End-to-end containment of internet worms[C].In Proc.of the 20th ACM Symposium on Operating Systems Principles(SOSP),Brighton,UK,October 2005.
[10]J.R.Crandall,Z.Su,and S.F.Wu.On deriving unknown vulnerabilities from zero-day Polymorphic and metamorphic worm exploits[C].In Proc.of ACM CCS,pages 235-248,2005.
[11]Z.Liang and R.Sekar.Fast and automated generation of attack signatures:A basis for building self-protecting servers[C].In Proc.ACM CCS,pages 213-223,Alexandria,VA,USA,November 2005.
[12]Asia Slowinska,Georgios Portokalidis,and Herbert Bos.Prospector:a protocol-specific detector of Polymorphic buffer overflows[R].Technical Report IR-CS-023[note:superceded by TR IR-CS-031].Vrige Universiteit Amsterdam.June 2006
[13]H.-A.Kim and B.Karp.Autograph:toward automated,distributed worm signature detection[C]In Proceedings of the 13th USENIX Security Symposium,August 2004,271-286.
[14]S.Singh,C.Estan,G.Varghese,and S.Savage.Automated worm fingerprinting[C].In proceedings of the 6th ACM/USENIX Symposium on Operating System design and Implementation(OSDI),Dec.2004,45-60.
[15]康重庆,白利超,夏清,赵儆,相年德.序列运算的扩展及其数字特征[J],电力系统自动化,2003,27(13):5-9
[16]Alok Sharma,Arun K.Pujari,Kuldip K.Paliwal.Intrusion detection using text processing techniques with a kernel based similarity measure[J].Computers & Security 26(2007):488-495
[17]钟珞,潘昊等著.模式识别[M].湖北:武汉大学出版社.2006.9:89-91
[18]Pang-Ning Tan Michael Steinbach Vipin Kumar著.数据挖掘导论[M].范明,范宏建等译.北京:人民邮电出版社.2006.5:43-45
[19]李晓冬,李毅超.基于漏洞的蠕虫特征自动提取技术研究[J],计算机应用,2008,28(3)
[20]C.Kreibich and J.Crowcroft.Honeycomb-Creating intrusion detection signatures using honeypots[C].In Proceedings of the Second Workshop on Hot Topics in Networks(HotNets-Ⅱ),November 2003,51-56.
[21]Lance Spitzner著.Honeypots:追踪黑客[M].邓云佳译.清华大学出版社 2004.9
[22]Pascal Gamper.Towards automated exploit signature generation using honeypots.Master's thesis,Swiss Federal Institute of Technology(ETH) Zurich,September 2007
[23]Z.Li,M.Sanghi,Y.Chen,M.-Y.Kao,and B.Chavez.Hamsa:Fast signature generation for zero-day Polymorphic worms with provable attack resilience[C].In IEEE Symposium on Security and Privacy,Oakland,CA,May 2006
[24]CodeRedⅡ源代码及代码分析 http://www.eeye.com/html/advisories/coderedⅡ.zip
[25]CodeRedⅡ代码分析http://www.infosecurity.org.cn/article/virusanly/6949.html
[26]Dae-Ki Kang,Doug Fuller,Vasant Honavar.Learning Classifiers for Misuse and Anomaly Detection Using a Bag of System Calls Representation.Information Security and Intrusion Detection,2005.
[27]David Dagon,Xinzhou Qin,Guofei Gu.HoneyStat:Local Worm Detection Using Honeypots[C].Proceedings of Recent Advances In Intrusion Detection(RAID),Springer-Verlag,2004.39-58.
[28]Portokalidis,G.,& Bos,H.(2007).SweetBait:zero-hour worm detection and containment using low and high-interaction honeypots.Computer Networks 51(5),1256-1274.
[29]Yegneswaran V.,Giffin J.,Barford P.,J ha S..An architecture for generating semantics-aware signatures.In Proceedings of the USENIX Security,Baltimore,MD,2005,97-112
[30]Tang Y.,Chen S..Defending against Internet worms:A signature-based approach.In Proceedings of the INFOCOM,Miami,Florida,2005,1384-1394
[31]Needleman S.B.,Wunsch C.D..A general method applicable to the search for similarities in the amino acid sequence of two proteins.Journal of Molecular Biology,1970,48(3):443-453
[32]Arslan,A.N.,(O|¨)mer Egecioglu.2002.Approximation algorithms for local alignment with length constraints.Internat.J.Foundations Comput.Sci.13 751-767.
[33]Rolf Backofen,Danny Hermelin,Gad M.Landau,Oren Weimann:Local Alignment of RNA Sequences with Arbitrary Scoring Schemes.CPM 2006:246-257
[34]Craven,B.D.1988.Fractional Programming.Helderman Verlag,Berlin,Germany.
[35]网络伪装.网络安全.http://www.camonet.org/
[36]Ethereal.http://www.ethereal.com
[37]Honeyd.http://www.honeyd.org
[38]PackETH.http://packeth.sourceforge.net
[39]Flowreplay.http://tcpreplay.synfin.net/trac/wiki/flowreplay
[40]VMWare.http://www.vmware.com
[41]Python.http://www.python.org/
[42]模式匹配.http://www.cs.ucr.edu/~stelo/cpm/
[43]Snort.http://www.snort.org