A framework for automated malcode signatures generation

Abstract

Rapid malicious codes (malcodes) are self-replicating malicious programs that represent a major security threat to the Internet. Fast monitoring and early warning systems are very essential to prevent rapid malcodes spreading. The difficulty in detecting malcodes is that they evolve over time. Although signature-based tools such as network intrusion detection systems are widely used to protect critical systems, traditional signature-based malcode detectors fail to detect obfuscated and previously unseen malcode executables. Automatic signature generation techniques are needed to augment these tools due to the speed at which new vulnerabilities are discovered. In particular, we need automated techniques which generate signatures without mistakenly block legitimate traffic or increase false alarms. This work investigates a technique for automatically generating sound vulnerability signatures of novel rapid malcodes. In this paper, rapid malcode signatures are automatically generated based on their spreading behavior, specially aimed at automatically extracting and deploying signatures on the packet level, without the need for reassembly that could be used by signature-based firewalls network intrusion detection system. Evaluation on Universiti Teknologi Malaysia network corpus shows higher detection accuracy at 87% compare to 56% for Snort signatures. Moreover, false negative reduces to 14% compared to 78% for Snort signatures.