Matthew Van Gundy
University of California, Davis
USA
Hao Chen
University of California, Davis
USA
Zhendong Su
University of California, Davis
USA
Giovanni Vigna
University of California, Santa Barbara
USA
Content-filtering has been shown to be an effective defense against
Internet worms [14]. However, in order to be useful, content-filtering
requires accurate worm signatures. To facilitate generating worm
signatures quickly enough to block the rapid spread of modern worms, a
number of automated signature generation systems have been proposed.
In this paper we examine the assumptions underlying the two leading
network-based signature generation systems for polymorphic worms:
Polygraph [15] and Hamsa [12]. By identifying an assumption not met by
all vulnerabilities, we discover a class of vulnerabilities, which we
call feature omission vulnerabilities, that cannot be accurately
characterized by either system. We demonstrate the limitations of
Polygraph and Hamsa by testing their signature generation capability
against exploits targeting a feature omission vulnerability from the
wild. We then highlight factors that should be considered in the design of future systems if they are to generate accurate signatures for feature omission vulnerabilities.
Keywords: worms, polymorphic, malware, signature generation, content filtering