Autograph Toward Automated, Distributed Worm Signature Detection

Short Description
manually study packet traces to produce a worm signature. …. our worm signature detection system, has been designed to. meet that goal. …

Website: www.cs.cmu.edu | Filesize: 256kb

Content
Autograph: Toward Automated, DistributedWorm Signature Detection
Hyang-Ah Kim
hakim@cs.cmu.edu
Carnegie Mellon University
Brad Karp
brad.n.karp@intel.com, bkarp@cs.cmu.edu
Intel Research / Carnegie Mellon University
Abstract
Today’s Internet intrusion detection systems (IDSes) monitor
edge networks’ DMZs to identify and/or filter malicious
flows. While an IDS helps protect the hosts on its local edge
network from compromise and denial of service, it cannot
alone effectively intervene to halt and reverse the spreading
of novel Internet worms. Generation of the worm signatures
required by an IDS-the byte patterns sought in monitored
traffic to identify worms-today entails non-trivial human labor,
and thus significant delay: as network operators detect
anomalous behavior, they communicate with one another and
manually study packet traces to produce a worm signature.
Yet intervention must occur early in an epidemic to halt a
worm’s spread. In this paper, we describe Autograph, a system
that automatically generates signatures for novel Internet
worms that propagate using TCP transport. Autograph generates
signatures by analyzing the prevalence of portions of
flow payloads, and thus uses no knowledge of protocol semantics
above the TCP level. It is designed to produce signatures
that…