Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience

Zhichun Li*, Manan Sanghi, Yan Chen, Ming-Yang Kao, Brian Chavez

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

172 Citations (Scopus)

Abstract

Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate signatures in the early stages of infection. Most existing approaches for automatic signature generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph [16] in terms of efficiency, accuracy, and attack resilience.

Original languageEnglish (US)
Title of host publicationProceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006
Pages32-46
Number of pages15
DOIs
StatePublished - Nov 21 2006
Event2006 IEEE Symposium on Security and Privacy, S and P 2006 - Berkeley, United States
Duration: May 21 2006May 24 2006

Publication series

NameProceedings - IEEE Symposium on Security and Privacy
Volume2006
ISSN (Print)1081-6011

Other

Other2006 IEEE Symposium on Security and Privacy, S and P 2006
CountryUnited States
CityBerkeley
Period5/21/065/24/06

Fingerprint

HIgh speed networks
Internet
Engines

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Li, Z., Sanghi, M., Chen, Y., Kao, M-Y., & Chavez, B. (2006). Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006 (pp. 32-46). [1623999] (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2006). https://doi.org/10.1109/SP.2006.18
Li, Zhichun ; Sanghi, Manan ; Chen, Yan ; Kao, Ming-Yang ; Chavez, Brian. / Hamsa : Fast signature generation for zero-day polymorphic worms with provable attack resilience. Proceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006. 2006. pp. 32-46 (Proceedings - IEEE Symposium on Security and Privacy).
@inproceedings{c684ae178d2942a8aa178297e6bd137b,
title = "Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience",
abstract = "Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate signatures in the early stages of infection. Most existing approaches for automatic signature generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph [16] in terms of efficiency, accuracy, and attack resilience.",
author = "Zhichun Li and Manan Sanghi and Yan Chen and Ming-Yang Kao and Brian Chavez",
year = "2006",
month = "11",
day = "21",
doi = "10.1109/SP.2006.18",
language = "English (US)",
isbn = "0769525741",
series = "Proceedings - IEEE Symposium on Security and Privacy",
pages = "32--46",
booktitle = "Proceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006",

}

Li, Z, Sanghi, M, Chen, Y, Kao, M-Y & Chavez, B 2006, Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. in Proceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006., 1623999, Proceedings - IEEE Symposium on Security and Privacy, vol. 2006, pp. 32-46, 2006 IEEE Symposium on Security and Privacy, S and P 2006, Berkeley, United States, 5/21/06. https://doi.org/10.1109/SP.2006.18

Hamsa : Fast signature generation for zero-day polymorphic worms with provable attack resilience. / Li, Zhichun; Sanghi, Manan; Chen, Yan; Kao, Ming-Yang; Chavez, Brian.

Proceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006. 2006. p. 32-46 1623999 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2006).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Hamsa

T2 - Fast signature generation for zero-day polymorphic worms with provable attack resilience

AU - Li, Zhichun

AU - Sanghi, Manan

AU - Chen, Yan

AU - Kao, Ming-Yang

AU - Chavez, Brian

PY - 2006/11/21

Y1 - 2006/11/21

N2 - Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate signatures in the early stages of infection. Most existing approaches for automatic signature generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph [16] in terms of efficiency, accuracy, and attack resilience.

AB - Zero-day polymorphic worms pose a serious threat to the security of Internet infrastructures. Given their rapid propagation, it is crucial to detect them at edge networks and automatically generate signatures in the early stages of infection. Most existing approaches for automatic signature generation need host information and are thus not applicable for deployment on high-speed network links. In this paper, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack-resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms Polygraph [16] in terms of efficiency, accuracy, and attack resilience.

UR - http://www.scopus.com/inward/record.url?scp=33751064824&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33751064824&partnerID=8YFLogxK

U2 - 10.1109/SP.2006.18

DO - 10.1109/SP.2006.18

M3 - Conference contribution

AN - SCOPUS:33751064824

SN - 0769525741

SN - 9780769525747

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 32

EP - 46

BT - Proceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006

ER -

Li Z, Sanghi M, Chen Y, Kao M-Y, Chavez B. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proceedings - 2006 IEEE Symposium on Security and Privacy, S+P 2006. 2006. p. 32-46. 1623999. (Proceedings - IEEE Symposium on Security and Privacy). https://doi.org/10.1109/SP.2006.18