Polygraph
It is widely believed that
content-signature-based intrusion detection systems (IDSes) are easily
evaded by polymorphic worms, which vary their payload on every
infection attempt. We have designed and developed Polygraph, a
signature generation system that successfully produces signatures that
match polymorphic worms. Polygraph generates signatures that consist
of multiple disjoint content substrings. In doing so, Polygraph
leverages our insight that for a real-world exploit to function
properly, multiple invariant substrings must often be present in all
variants of a payload; these substrings typically correspond to
protocol framing, return addresses, and in some cases, poorly
obfuscated code. We contribute a definition of the polymorphic
signature generation problem; propose classes of signature suited for
matching polymorphic worm payloads; and present algorithms for
automatic generation of signatures in these classes. Our evaluation of
these algorithms on a range of polymorphic worms demonstrates that
Polygraph produces signatures for polymorphic worms that exhibit low
false negatives and false positives.
Publications