Citation Context

...ries of content signature based detection, Polymorphicssignature based techniques, anomaly based detection andsbehavioral signatures.s3.2 Content-signature techniquessContent-based fingerprinting [7]-=-=[10]-=- is a well-establishedsdimension to capture a worm’s characteristics by deriving thesmost representative content sequence as the worm’s signature.sTable 2 presents some content-based fingerprintingste...

Citation Context

...tegories of content signature based detection, Polymorphicssignature based techniques, anomaly based detection andsbehavioral signatures.s3.2 Content-signature techniquessContent-based fingerprinting =-=[7]-=--[10] is a well-establishedsdimension to capture a worm’s characteristics by deriving thesmost representative content sequence as the worm’s signature.sTable 2 presents some content-based fingerprinti...

Citation Context

...iciouss[9]sN-gramsanalysissPacket Similaritys[10] AutographsPrevalence ofsportions of flowspayloadssCannot detectspolymorphic wormss3.3 Polymorphic-signature generationsschemessA number of techniques =-=[12]-=--[16] have been presented forsdetecting polymorphic worms. Again, the technique used isshighlighted, the worm characteristic leverage is indicated andsthe limitations of the technique are pointed out ...

Citation Context

...cansFig 2: Categorization of Internet Worm CharacteristicssTo further inform the identification of worm characteristicssleveraged by the various detection techniques, the worm lifescycle presented in =-=[6]-=- will be used. It consists of the followingsphases: 1) initialization phase where software is installed, thesconfiguration of the local machine and the instantiation of thesglobal variables and beginn...

Citation Context

...mitationss[12]sPolygraph, Multiple disjointscontent substringssMulti invariant substrings must be presentsin all variants of a payload (substringsscorresponding to protocol framing, returnsaddresses)s=-=[13]-=- Control Flow Graph (CFG) Similarities in network flowssWorms that do not use executable codeswill not be detected; complex analysiss[14]sPosition Aware DistributionsSignaturesGeneric pattern of the s...

Citation Context

...d does not include data flow analysis;salso, strictly intra-procedural and doessnot detect malicious behavior splitsacross several proceduress3.4 Behavioral signature techniquessA few techniques [18]-=-=[20]-=- are presented that use behavioralsfoot printing to detect worms. Table 4 below shows thesanalysis of these techniques. Content-based fingerprintingsschemes do not capture a worm’s temporal infection ...

Citation Context

...a slowersrate than worms. Worms on the other hand, spread extremelysfast. During the Code Red I version 1 internet worm attack ofsthe year 2001, over 359,000 computers were infected in unders14 hours =-=[2]-=-. During the more aggressive Slammer internetsworm attack of the year 2003 more than 90% of 75,000svulnerable hosts were infected in less than 10 minutes [3]. Asproperly constructed worm could infect ...

Citation Context

... Content-based fingerprintingstechniquessRef. TechniquesWormsCharacteristicsLeveragedsLimitationss[7]sEarly Bird,sContent SiftingsContentsInvariance;sPacket SimilaritysCannot detectspolymorphic wormss=-=[8]-=-sInversesdistribution ofspacket contentssByte-levelssimilarity ofspacketssSome packets thatsalso exhibit contentlevel similarity aresnot maliciouss[9]sN-gramsanalysissPacket Similaritys[10] Autographs...

Citation Context

... Trojan horse, Spyware and Adware.sIn this paper, we focus on Worms. A network worm is definedsas a process that can cause a (possibly evolved) copy of it tosexecute on a remote computational machine =-=[1]-=-. Wormssnormally self-propagate across networks by exploitingssecurity or policy flaws in widely-used network services.sWorms are different from Viruses in that Viruses piggy-backson files and therefo...

Citation Context

...ion Detection Systems face.sFigure 1 presents the categorization that will be extended tosinclude many other current detection parameters.sFig 1: Categorization of Internet Worm Defense. Adaptedsfrom =-=[5]-=-sThe rest of the paper is organized as follows. Section 2sdiscusses computer worm behavior. Section 3 discussessvarious worm detection techniques, indicating the wormscharacteristics that they leverag...

Citation Context

...icsand does not include data flow analysis;salso, strictly intra-procedural and doessnot detect malicious behavior splitsacross several proceduress3.4 Behavioral signature techniquessA few techniques =-=[18]-=--[20] are presented that use behavioralsfoot printing to detect worms. Table 4 below shows thesanalysis of these techniques. Content-based fingerprintingsschemes do not capture a worm’s temporal infec...

Citation Context

...ss[9]sN-gramsanalysissPacket Similaritys[10] AutographsPrevalence ofsportions of flowspayloadssCannot detectspolymorphic wormss3.3 Polymorphic-signature generationsschemessA number of techniques [12]-=-=[16]-=- have been presented forsdetecting polymorphic worms. Again, the technique used isshighlighted, the worm characteristic leverage is indicated andsthe limitations of the technique are pointed out in th...

Citation Context

...overs the probing, exploitationsand replication phases of the infection session [18].sTable 4.Synthesis of Behavioral foot printing techniquessRef. Technique Worm Characteristic Leveraged Limitationss=-=[17]-=- Model each infection step as a behaviorsphenotype & the entire infection session as assequential behavioral footprintsIntrinsic differences between a normalsaccess to the service and a wormsinfection...

Citation Context

...ubstringsscorresponding to protocol framing, returnsaddresses)s[13] Control Flow Graph (CFG) Similarities in network flowssWorms that do not use executable codeswill not be detected; complex analysiss=-=[14]-=-sPosition Aware DistributionsSignaturesGeneric pattern of the signature whilesallowing local variation in specificspositionssA worm may include a commonssegment that appears in normal traffic;salso, a...

Citation Context

...ilesallowing local variation in specificspositionssA worm may include a commonssegment that appears in normal traffic;salso, a worm may have multiplescharacteristics that all carry usefulsinformations=-=[15]-=-sLength-based signatures to targetsbuffer overflow attackssTo exploit any buffer overflowsvulnerability, the length of certain protocolsfields must be long enough to overflow thesbuffersOnly effective...

Citation Context

...d a wormsinfection through the servicesWeak against behaviorsubstitution attacks andsbehavior camouflaging attackss[18] Malware behavior constructed from itssexecution tracesMalware behavior distincts=-=[19]-=- SWORD framework Causal similarity; destination addresssdistribution; continuity analysissDoes not detect slow moving orssmart worms; false positive forsworm-like legitimate traffic;sneeds training ag...

Citation Context

...d does not include data flow analysis;salso, strictly intra-procedural and doessnot detect malicious behavior splitsacross several proceduress3.4 Behavioral signature techniquessA few techniques [18]-=-=[20]-=- are presented that use behavioralsfoot printing to detect worms. Table 4 below shows thesanalysis of these techniques. Content-based fingerprintingsschemes do not capture a worm’s temporal infection ...