Zero-day polymorphic worms pose a serious threat to
the security of Internet infrastructures. Given
their rapid propagation, it is crucial to detect
them at edge networks and automatically generate
signatures in the early stages of infection. Most
existing approaches for automatic signature
generation need host information and are thus not
applicable for deployment on high-speed network
links. In this paper, we propose Hamsa, a
network-based automated signature generation system
for polymorphic worms which is fast, noise-tolerant
and attack-resilient. Essentially, we propose a
realistic model to analyze the invariant content of
polymorphic worms which allows us to make analytical
attack-resilience guarantees for the signature
generation algorithm. Evaluation based on a range of
polymorphic worms and polymorphic engines
demonstrates that Hamsa significantly outperforms
Polygraph [16] in terms of efficiency, accuracy,
and attack resilience.
Created and maintained by Mihai Christodorescu (http://www.cs.wisc.edu/~mihai)
Created: Fri Jan 27 11:58:07 2006
Last modified: Fri Jan 27 11:59:05 Central Standard Time 2006