A LOW COST WORM DETECTION TECHNIQUE BASED ON FLOW PAYLOAD SIMILARITY

Youhei Suzuki, Yuji Waizumi, Hiroshi Tsunoda, Yoshiaki Nemoto

Abstract

Recently, damages of information systems by worms have been reported at global level. Signature based Intrusion Detection Systems (IDSs) are widley used to prevent these damages. To handle newly created worms, automatic signature generation techniques based on common strings in the payloads of multiple worm flows of the same kind have been proposed. Because these techniques need to use multiple strings as a signature for each kind of worm to acheive high detection accuracy, the calculation cost to detect worms is a serious issue. In this paper, we propose a novel scheme that does not use common character strings. The proposed scheme uses a 256-dimensional vector based on the appearance frequencies of 256 character codes. This vector is generated automatically and used as a mean to detect worms with low cost. In addition, we construct a cheap worm detection system by using the proposed method as the first stage analysis of conventional IDS. We evaluate the proposed scheme through experiments and present its performance.

References

  1. Akritidis, P., Anagnostakis, K., and Markatos, E. P. (2005). Efficient content-based detection of zero-day worms. In Proceedings of the International Conference on Communications (I CC 2005).
  2. Bleeding Edge Threats (2004). bleedingsnort.com.
  3. Kim, H. and Karp, B. (2004). Autograph: toward automated, distributed worm signature detec tion. In Proceedings of the 13th USENIX Security Symposium.
  4. Kruegel, C., Toth, T., and Kirda, E. (2002). Service specific anomaly detection for network intrusion dete ction. In Symposium on Applied Computing (SAC).
  5. Newsome, J., James, B., Karp, B., and Song, D. (2005). Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the 2005 IEEE Symposium on Security and Pri vacy. IEEE Computer Society.
  6. Simkhada, K., Tsunoda, H., Waizumi, Y., and Nemoto, Y. (2005). Differencing worm flows and normal flows for automatic genera tion of worm signatures. In Proceedings of the Seventh IEEE International Symposium on Mu ltimedia (ISM).
  7. Singh, S., Estan, C., Varghese, G., and Savage, S. (2004). Automated worm fingerprinting. In Proceedings of the 6th ACM/USENIX Symposium on Operating System Design and Implementation (OSDI).
  8. Snort (1998). http://www.snort.org.
  9. Staniford, S., Paxson, V., and Weaver, N. (2002). How to 0wn the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium.
  10. Tsuji, M., Waizumi, Y., Tsunoda, H., and Nemoto, Y. (2005). Detecting worms based on similarity of flow payloads. In IEICE Tech. Rep. NS2005-112, pages 9- 12.
  11. Waizumi, Y., Tsuji, M., and Nemoto, Y. (2005). A detection technique of epidemic worms using clustering of p acket payload. In IEICE Tech. Rep. CS2005-19, pages 19-24.
  12. Wang, K., Cretu, G., and Stolfo, S. (2005). Anomalous payload-based worm detection and signature generation.? In Proceedings of the Eighth International Symposium on Recent Adva nces in Intrusion Detection.
  13. Yaneza, J. L. A., Mantes, C., and Avena, E. (2005). The Trend of Malware Today: Annual Virus Round-up and 2005 Forecast. Trend Micro.
Download


Paper Citation


in Harvard Style

Suzuki Y., Waizumi Y., Tsunoda H. and Nemoto Y. (2007). A LOW COST WORM DETECTION TECHNIQUE BASED ON FLOW PAYLOAD SIMILARITY . In Proceedings of the Third International Conference on Web Information Systems and Technologies - Volume 1: WEBIST, ISBN 978-972-8865-77-1, pages 414-417. DOI: 10.5220/0001279704140417


in Bibtex Style

@conference{webist07,
author={Youhei Suzuki and Yuji Waizumi and Hiroshi Tsunoda and Yoshiaki Nemoto},
title={A LOW COST WORM DETECTION TECHNIQUE BASED ON FLOW PAYLOAD SIMILARITY},
booktitle={Proceedings of the Third International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,},
year={2007},
pages={414-417},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001279704140417},
isbn={978-972-8865-77-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Third International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,
TI - A LOW COST WORM DETECTION TECHNIQUE BASED ON FLOW PAYLOAD SIMILARITY
SN - 978-972-8865-77-1
AU - Suzuki Y.
AU - Waizumi Y.
AU - Tsunoda H.
AU - Nemoto Y.
PY - 2007
SP - 414
EP - 417
DO - 10.5220/0001279704140417