After the invention of the internet, network intrusions became a major concern to network administrators. Nowadays, it is probable that it is nearly impossible for the existence of a completely safeguarded network system majorly due to network intrusion (Boriana and Lisa, 2005). Intrusion is usually carried out via signatures; a rule set that matches every attack instance modeled by the signature. A polymorphic worm (mutates through code transformations) is one of the many network intruders which always vary its payload on every attempt of infection.
To detect this intrusion, the content-based signature intrusion detection system (IDS) a polygraph, is introduced. Polygraph indeed does successfully produce matching signatures for worms that are polymorphic. Unlike other automated signature generation strings that try to find a payload of continuous substring sufficient in length so as to only match the worm, polygraph tries to deviate from the weak assumption of the existence of an invariant payload substring through worm connections. Instead, a vital knowledge that worms must exploit some vulnerability on server software that contains important invariant bytes e.g. protocols, is employed.
It thus becomes conclusive that these worms share a bit of invariant content because of the fact that they all take advantage of same vulnerabilities (Newsome and Dawn, 2006). It becomes even more conclusive from findings that nearly all software irrespective of the operating system contains invariants prone to exploitation. Some of the more common polymorphic worms used for intrusion include CodeRed that uses the GET string while converting to Unicode from ASCII to exploit buffer overflow, AdmWorm that overwrites return address via a buffer overrun, and many others.
A typical polygraph monitor placed strategically in a network to have all access to network flow, assembles the flow to bytes which are continuous. Two flow pools are produced i.e. innocuous, suspicious flow. Set of signatures are produced to give either false positive or negative classes of worm payloads using algorithms based on Bayes law i.e. Pr (M|N) = Pr (M|N)*Pr (M)/Pr (N). From the law, Pr denotes probability while M and N are events. M|N implies an event M if N, another event occurs. In simple terms, Bayes law states that the probability of M given N is true is computed by finding the probability of M given N is true multiplied by M’s probability which is divided by the Probability of occurrence of N (Darren et al., 2004). This rule, therefore, looks for the occurrence of invariants in the suspected payloads.
To ensure good quality signatures, quality hierarchical clustering ought to be used. Each cluster has flows and a generated signature from the same set. On merging the clusters, the algorithm is re-run producing a better signature. To further prevent forms of false positives, the algorithm can be optimized. Parallelization on hierarchical clusters allows for a multi-processor reduction in time for the generation of the signature. This is especially important given the fact that these algorithms are expensive in terms of the costs of computation. However, polygraph advantageously provides the most highly required database of signatures for use by NIDS automatically.
Filtering based the contents of the payload seems to effectively counteract polymorphic worm intrusion. With the incorporation of sequences of bytes that are invariant and use of Bayes law can effectively seclude worms via the invariant contents of their exploits. The above algorithm and others like token-subsequence and conjunction automatically generate signatures in their respective classes. Therefore a high signature quality can be derived even if noise flows which are misclassified are present together with multiple worms.
References
Boriana, D. &Lisa, F. (2005). Signature-Based Intrusion Detection. North Carolina: University of North Carolina.
Darren, M. at ,el. (2004). Reverse Engineering of Network Signatures. Santa Barbara: Routledge Publishers.
Newsome, J. & Dawn, S. (2006). Polygraph Automatically Generating Signatures For Polymorphic Worms. New York: St. Martin’s Press.