{"title":"特征遗漏漏洞:阻碍多态蠕虫的签名生成","authors":"M. Gundy, Hao Chen, Z. Su, G. Vigna","doi":"10.1109/ACSAC.2007.42","DOIUrl":null,"url":null,"abstract":"To combat the rapid infection rate of today's Internet worms, signatures for novel worms must be generated soon after an outbreak. This is especially critical in the case of polymorphic worms, whose binary representation changes frequently during the infection process. In this paper, we examine the assumptions underlying two leading network-based signature generation systems for polymorphic worms: polygraph [14] and Hamsa [12]. By identifying an assumption of both systems not met by all vulnerabilities, we discover a class of vulnerabilities (feature omission vulnerabilities) that neither system can accurately characterize. We demonstrate the limitations of polygraph and Hamsa by testing the signatures that they generate for exploits targeting a feature omission vulnerability. We discuss why feature omission vulnerabilities are difficult to characterize and how increased semantic awareness can help the signature generation process.","PeriodicalId":199101,"journal":{"name":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"11","resultStr":"{\"title\":\"Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms\",\"authors\":\"M. Gundy, Hao Chen, Z. Su, G. Vigna\",\"doi\":\"10.1109/ACSAC.2007.42\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"To combat the rapid infection rate of today's Internet worms, signatures for novel worms must be generated soon after an outbreak. This is especially critical in the case of polymorphic worms, whose binary representation changes frequently during the infection process. In this paper, we examine the assumptions underlying two leading network-based signature generation systems for polymorphic worms: polygraph [14] and Hamsa [12]. By identifying an assumption of both systems not met by all vulnerabilities, we discover a class of vulnerabilities (feature omission vulnerabilities) that neither system can accurately characterize. We demonstrate the limitations of polygraph and Hamsa by testing the signatures that they generate for exploits targeting a feature omission vulnerability. We discuss why feature omission vulnerabilities are difficult to characterize and how increased semantic awareness can help the signature generation process.\",\"PeriodicalId\":199101,\"journal\":{\"name\":\"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)\",\"volume\":\"6 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-12-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"11\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ACSAC.2007.42\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ACSAC.2007.42","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Feature Omission Vulnerabilities: Thwarting Signature Generation for Polymorphic Worms
To combat the rapid infection rate of today's Internet worms, signatures for novel worms must be generated soon after an outbreak. This is especially critical in the case of polymorphic worms, whose binary representation changes frequently during the infection process. In this paper, we examine the assumptions underlying two leading network-based signature generation systems for polymorphic worms: polygraph [14] and Hamsa [12]. By identifying an assumption of both systems not met by all vulnerabilities, we discover a class of vulnerabilities (feature omission vulnerabilities) that neither system can accurately characterize. We demonstrate the limitations of polygraph and Hamsa by testing the signatures that they generate for exploits targeting a feature omission vulnerability. We discuss why feature omission vulnerabilities are difficult to characterize and how increased semantic awareness can help the signature generation process.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
