Polymorphic Worm Detection Using Token-Pair Signatures Burak Bayoglu
Ibrahim Sogukpinar
National Research Institute of Electronics and Cryptology Gebze, Kocaeli, Turkey
Gebze Institute of Technology Gebze, Kocaeli, Turkey
[email protected]
[email protected] is the main reason why worms can spread to very large networks in a short manner. Polymorphic worms are a special subset of worms. Polymorphic code itself is the art of developing code that mutates at each copy while keeping the original algorithm intact. By the way, a polymorphic worm changes its pattern each time it sends a copy to another system. Thereby this avoids detection by simple signature matching techniques. On the other hand, there is still some part of code that remains unchanged.
ABSTRACT A worm is a self-replicating computer program which does not need neither to attach itself to an existing program nor require user intervention unlike viruses. Worms exploit operating system and application software vulnerabilities to infect the systems. Polymorphic code itself is the art of developing code that mutates at each copy while keeping the original algorithm unchanged. By the way, a polymorphic worm changes its pattern each time it sends a copy to another system. Thereby this avoids detection by simple signature matching techniques. On the other hand, there is still some part of code that remains unchanged. In this work, we propose Token-Pair Conjunction and Token-Pair Subsequence signatures for detecting polymorphic worm threats. Experiments of the proposed model were performed using two real polymorphic worms. Experiment results show that the proposed signature schema have low false negatives and false positives.
Encryption is the commonly used technique to produce polymorphic code. Not all of the code can be encrypted because that would make the whole code unusable. Each worm has a part of code to exploit the potential victims. This unencrypted part is used to branch the execution cycle to the decryption routine and the main code afterwards. Polymorphic worms and polymorphic viruses are an exciting area for malicious code authors that they can produce more sophisticated and hard to detect malicious codes using polymorphism. Although dealing with opposite purposes, information systems defense architects are also excited to develop defense mechanisms for this new and challenging attack type.
Categories and Subject Descriptors K.6.5 [Management of Computing and Information Systems]: Security and Protection – invasive software, unauthorized access.
ADMmutate[8] and Clet[9] are readily available polymorphic engines. They can be used to encrypt a code and append the decryption key and the decryption routine which is obfuscated differently each time. As stated in [3], Clet is considered to generate less invariant content then ADMmutate. This polymorphic code engines have been utilized by many polymorphic threats. ADMmutate and Clet engines do not perform a perfect obfuscation thus they may lead to some invariant content as a result of poor obfuscation. Although it is still an open problem to generate perfectly obfuscated code, we can assume that the decryption routine is perfectly obfuscated to propose a solution for the worst case.
General Terms Security.
Keywords Worm detection, polymorphic worms, token pair signature.
1. INTRODUCTION Operating system and application software vulnerabilities may cause serious harms when exploited by a trojan, virus, worm etc. Worms made up 52 percent and 75 percent of the volume of malicious code threats according to threat reports [1] and [2] conducted by Symantec Corporation for the first and second part of the year 2006 respectively. A worm is a self-replicating computer program which does not need neither to attach itself to an existing program nor require user intervention unlike viruses. Worms exploit operating system and application software vulnerabilities to infect the systems and use network infrastructure to send copies of it to other systems. This self-propagation model
In this paper, we proposed Token-Pair signatures for detecting this striking cyber threat. Two different signature types, namely Token-Pair Conjunction signatures and Token-Pair Subsequence signatures were defined. Tokens are extracted from the worm payloads and a flexible signature schema is used to detect polymorphic worms using token pairs. Experiments have been performed against two real polymorphic worms which exploit Apache-Knacker and BIND-TSIG vulnerabilities. Experiment results show that Token-Pair signatures have low false-positive and low-negative rates. Token-Pair signatures are also an enabler for improving related signature-based polymorphic worm detection techniques with an eye on signature flexibility.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. SecPerU’08, July 7, 2008, Sorrento, Italy. Copyright 2008 ACM 978-1-60558-207-8/08/07...$5.00.
The rest of the paper is organized as follows. Section 2 gives background information about polymorphic worms and introduces related works on the subject. Proposed solution for Token-Pair signature generation and polymorphic worm detection is presented in Section 3. We present experiment results and discuss
7
bayes signatures. Substrings of the worm content which are used for signature generation are called tokens. Conjunction signatures consist of a set of tokens that matches the worm if and only if all of the tokens are present in any order. Token-subsequence signatures are similar to conjunction signatures, the only difference is that the tokens must appear in a given order. Bayes signatures consist of a set of tokens. Each token is associated with a score, and an over-all threshold. Unlike the conjunction signatures and token-subsequence signatures, Bayes signatures provide probabilistic matching information. Given a suspicious flow, the probability that the flow is a worm is computed using the token scores present in the flow. If it results a probability over the pre-defined threshold, Polygraph classify the given suspicious flow to be a worm.
how Token-Pair signatures can be utilized to improve related work in Section 4. Finally we conclude the paper and discuss the future works in Section 5.
2. BACKGROUND INFORMATION AND RELATED WORKS Typically a polymorphic worm consists of four parts. These are Decryption Routine, Decryption Key, Encrypted Worm Code and Exploit Code as shown in Figure 1. Decryption Routine
Decryption Key
Encrypted Worm Code
Exploit Code
Figure 1. Polymorphic worm structure
Z. Li et al. claim that Hamsa[7] outperforms Polygraph[3] in terms of efficiency, accuracy, and attack resilience. Hamsa is a network-based automated signature generation system for polymorphic worms. Hamsa generates content-based signatures. They use the protocol frame part(ε), exploit data(γ), and worm content(π) to generate the signatures. Given a suspicious flow, token extraction is performed by using a suffix array based algorithm[14] to find all byte sequences that occur in at least λ fraction of the suspicious flow pool. Hamsa defines a worm signature which is constrained to include a multiset of tokens in any order in each of the suspicious flow. The first token to appear in the worm signature is selected as the one with the smallest false positive value. The token which has the least false positive value in conjunction with the first token is selected as the second token. The rest of the tokens are evaluated similarly and the final worm signature is produced. Appropriately choosing the values for the model proposed, this greedy approach is claimed to find a good signature with the assumption that the exploit data(γ) and the protocol frame part(ε) together forming the invariant parts of the worm is not under the control of the worm author since the worm author has to exploit a software vulnerability over a static protocol structure to finally execute the worm content.
A polymorphic worm has to exploit vulnerability first and next decrypt the encrypted worm code using the decryption routine with the decryption key used to encrypt the worm code. Different encryption/decryption keys are used for each worm sample. After this initial definition we can say that Decryption Key and Encrypted Worm Code patterns are supposed to be different for each worm sample, where the Decryption Routine and the Exploit Code patterns remain unchanged. Therefore, obfuscation techniques can be used for each worm sample to make the Decryption Routine pattern different for each worm sample[3]. This makes the Exploit Code the only unchanged part of the polymorphic worm code which may cause high false positives when individually used to detect the worm. Honeycomb[10], Autograph[11], and EarlyBird[12] generate automatic worm signatures but all of these worm detection efforts share a common assumption that the worm content has a large enough contiguous string that identifies the worm identically. Since a common substring would be insufficient to detect polymorphic worms, these techniques are not appropriate for polymorphic worm detection. Polymorphic worm detection efforts can be classified in two categories as content based approaches and behavior based approaches. Content based polymorphic worm detection techniques([3],[7],[13],[15],[16]) use the worm content to produce information that matches the worm. Behavior based approaches([17],[18],[19]) focus on the behavior of the worm in terms of network and system activities rather than the worm content or watch for the anomalities that differ from the normal network activity. Worm detection can be performed network based or host based. Network based techniques([3],[7],[18]) are deployed at the network layer before the malicious code arrives to the end systems. Host based polymorphic worm detection techniques([13],[15],[16],[17],[19]) are deployed at the end systems.
Token extraction is the preliminary process before generating the content-based polymorphic worm signatures. Polygraph includes a token if it is not a substring of another token, if so, its unique coverage must be above a specified threshold. Although a token is substring of another token and its unique coverage is below the threshold, it may still have large coverage among the worm samples as a substring of other tokens. Hamsa treats every substring with coverage over the threshold as a token. Another concern about extracting tokens is that, Polygraph performs a bottom up traversal of the suffix tree to calculate the number of occurrences of a token candidate and continuously generates the tokens via a top down traversal of the suffix tree. This operation takes asymptotically linear time but even improved suffix tree implementations consume large memory space. Each input character requires 20 bytes in the worst case.[7] Also there are some lightweight suffix array creation algorithms like deepsort[14] that run in linear time and consume less memory. Using deepsort implementation on suffix tree, Hamsa gets around 100 times speedup for token extraction when compared to Polygraph. Even if the same suffix tree based token instruction and the suffix array based false positive calculation techniques are used, Hamsa was found to be 64 to 361 times faster than Polygraph as a result of signature generation technique difference.
Content based IDSes usually check for defined attack signatures to detect the threats. One common substring to define a polymorphic worm would be insufficient to detect polymorphic worms.([3],[7]) Therefore we must produce more specific worm signatures that exploit as many properties of the worm content as possible and correlate them to successfully detect the polymorphic worms. Polygraph[3] is a content based polymorphic worm detection technique. Polygraph proposes three families of signatures. These are conjunction signatures, token-subsequence signatures and
8
Polygraph uses hierarchical clustering to generate worm signatures from a noisy suspicious flow pool. Initially each worm sample is considered as a cluster itself and clusters whose union gives a signature with the least false positive are merged. This merging activity continues until there is only one cluster or additional merging activity does not produce a cluster with least false positive rate. As stated in [7], this approach would tend to cluster a worm sample with a normal sample if the variant part of the worm samples share common tokens in normal pool. This will yield to false negatives. Model-based greedy signature generation algorithm of Hamsa successfully bounds false positive and false negative of the signature even if the attacker has full control about including any content in the variant part of polymorphic worm samples.
Token-Pair Subsequence signatures contain a set of tokens and corresponding token pairs. Each possible token pair has a precalculated score that is used to calculate the total score for the flow to be evaluated. The token pairs are ordered internally but there is no restriction on which token pair to appear next. A threshold value specific to the signature is calculated to compare with the total score in the decision part. If enough token pairs appear in the flow, it is labeled as polymorphic worm. Signature generation and decision processes are explained in detail below.
3.1 Notation The notation used at the rest of the paper is as follows. Token set (of n) : {Ti }1≤i ≤ n
Hamsa[7] defines a new attack type named token-fit attack which is a stronger form of the coincidental-pattern attack defined in Polygraph[3]. It is based on the idea that the attacker may obtain normal traffic with a similar token distribution as the normal noise in the suspicious pool. This way the worm author may inject the normal traffic tokens into worm variants. This would make the worm samples look more like the normal traffic noise in the suspicious pool, thus degrading the quality of the worm signature. According to the tests performed in [7], Polygraph cannot detect such worms (100% false negative) while Hamsa does.
Worm Label : L(x ) in {true , false} Flow x is defined different for conjunction and subsequence signatures. Token-Pair Subsequence Flow/Sample ( x ) : x = {0 ,1}n×n
xij = 1 , if i < j and, i . token Ti is present in the flow and, j . token T j is present in the flow somewhere after Ti and, there
PADS([15],[16]) is a content based polymorphic worm detection technique which claims to fill the gap between traditional signature based schemes and anomaly-based intrusion detection schemes. They propose two algorithms based on ExpectationMaximization[20] and Gibbs Sampling[21] to generate position aware distribution signatures from the polymorphic worm samples. Hamsa and Polygraph both focus on the invariant parts of the worm content to generate the worm signatures. In addition to this invariant content, PADS also considers the variant parts of the worm content that follow certain distributions.
exists no other token between Ti and T j . xij = 1 , if i = j and, i . token Ti is present in the flow and, no other token is present in the flow. Token-Pair Conjunction Flow/Sample ( x ) : x = {0 ,1}n×n xij = x ji = 1 , if i ≠ j and i . token Ti and j . token T j are both present in the flow xij = 1 , if i = j and, i . token Ti is present in the flow and, no
3. TOKEN-PAIR POLYMORPHIC WORM SIGNATURES
other token is present in the flow.
3.2 Signature Generation
Token extraction is the very early part of the token pair polymorphic worm signature generation process. A token is defined as the substring which is used to generate the polymorphic worm signatures. Tokens are generated from the suspicious flow pool which contains the worm samples. Signature tokens are generated using the same way as Polygraph[3] does. Working on the suspicious pool, the algorithm defined in [4] helps us to extract all of the distinct substrings of a given minimum length that occur in at least K out of n samples.
We describe our solution that generate a signature of token pairs using the suspicious flow pool which contains the worm samples and normal pool which is assumed to contain normal traffic. The difference between token-pair conjunction and token-pair subsequence signatures come from the order rule for the token pairs. Token-pair conjunction signatures only require that both of the tokens appear in the flow where token-pair subsequence signatures require seeing one after another. For the sake of simplicity and calculating the total score with one pass over the flow, one token in a given flow can contribute to the total score as the first token of a pair once, and the second (last) token of a pair once.
In the token extraction process, we generate worm signatures of kind Token-Pair Conjunction and Token-Pair Subsequence. These signatures classes are defined as follows. Token-Pair Conjunction signatures contain a set of tokens which constitute the token pairs. Each possible token pair has a precalculated score that is used to calculate the total score for the flow to be evaluated. The tokens in the token pair do not have an order rule. That means, if both tokens in the token pair appear in the flow regardless of any order rule, the related score is added to the total score. A threshold value specific to the signature is calculated to compare with the total score in the decision part. If enough token pairs appear in the flow, it is labeled as polymorphic worm.
When generating token-pair conjunction signatures, we use the same algorithm as described for token-extraction to find all the tokens that appear in every worm sample. Token-pair conjunction signatures have a score for each possible token pair. The score is based on the probability of ith. token to appear in suspicious and normal flow pools, and jth token to appear in suspicious and normal flow pools before or after ith token. If the suspicious pool consists samples each s bytes long, the running time of token
9
flow. That would require computing the probabilities for all possible token subsets which have a size of smaller or equal to n. The number of probabilities to be computed increases for high values of n, in other words for large number of tokens. We propose a model that considers the dependence of token pairs. Two different types of signatures are defined. These are TokenPair Subsequence signatures and Token-Pair Conjunction signatures.
extraction algorithm is O(s). Coming out with n tokens, running time for calculating the token pair scores is O(n2). Token extraction is the first phase for generating token-pair subsequence signatures. Token-pair subsequence signatures have a score for each possible ordered token pair. The score is based on the probability of ith. token to appear in suspicious and normal flow pools, and jth token to appear in suspicious and normal flow pools after ith token. If the suspicious pool consists samples each s bytes long, the running time of token extraction algorithm is O(s). Coming out with n tokens, running time for calculating the token pair scores is O(n2).
Token-Pair Subsequence signatures consist of token pairs with related scores. The scores are calculated using the probability of second token to appear after the first token in the suspicious flow pool and in the innocuous flow pool without any other token between them. Token-Pair Conjunction signatures do not care about the order of tokens. Token-pair scores are calculated using the probability of two tokens to appear together in the suspicious flow pool and in the innocuous flow pool.
3.3 Polymorphic Worm Detection To classify a flow x , we must compute the probability of a given flow x being worm or not. Therefore the corresponding probabilities are Pr[L(x ) = true | x] and Pr[L(x ) = false | x] . A score will be calculated using the ratio of these probabilities, which will guide us through the decision phase.
Given the token set
Pr [x | L(x ) = true] and of token pairs xij for both type of signatures.
Using the Bayes Law, Pr[L(x ) = true | x] and Pr[L(x ) = false | x] can be written as below: Pr[L(x ) = true | x] =
Pr[x | L(x ) = true] Pr [L(x ) = true] . Pr[x]
(1)
Pr [L(x ) = false | x ] =
Pr [x | L(x ) = false] Pr [L(x ) = false] . Pr [x]
(2)
Pr[L(x ) = true | x] Pr[x | L(x ) = true] = Pr[L(x ) = false | x] Pr[x | L(x ) = false]
=∏
Then, the ratio of these probabilities is shown below:
(3)
[ [
(4)
Thus, the ratio of the probabilities reduces to:
Pr [x | L(x ) = true] . Pr [x | L(x ) = false]
(6)
] ]
⎛ Pr xij = 1 | L(x ) = true ⎞ ⎟ , for x ij = 1 . (7) S = ∑ log ⎜ ⎜ Pr xij = 1 | L(x ) = false ⎟ ⎝ ⎠ We need to compare this score to a threshold value to decide whether the flow is worm or not. The threshold value E is calculated for a maximum tolerable false-positive value. Overall decision rule is given below:
Without any information, the assumption given below is acceptable for a given flow x . Pr [L(x ) = true] = Pr [L(x ) = false] = 0.5 .
, for xij = 1 .
We calculate a Bayesian score for the flow based on our model. The ratio of probabilities may be large and multiplication of these probabilities would yield a larger number which is not human readable and also hard to scale. As proposed in Polygraph, we use the logarithmic values of these probability components and sum them up for calculating the overall Bayes score S .
Pr [x ]
Pr [x | L(x ) = true] Pr [L(x ) = true] × . Pr [x | L(x ) = false] Pr [L(x ) = false]
[ ] Pr [xij = 1 | L(x ) = false] Pr xij = 1 | L(x ) = true
3.4 Decision Rule
Pr [x | L(x ) = true] Pr [L(x ) = true] Pr [L(x ) = true | x ] Pr [x ] = Pr [L(x ) = false | x ] Pr [x | L( x ) = false]Pr [L(x ) = false]
=
{Ti }1≤i ≤ n , and a flow sample x , Pr [x | L(x ) = false] are defined in terms
(5)
Decision
Unlike Polygraph[3], we do not have an independence assumption that probability of a token being present in a flow is independent from the probability of other tokens being present in the same flow. Newsome et al. also argued that more complex Bayesian models could be developed without the independence assumption they make in Polygraph[3]. We know that the tokens are part of a vulnerability logic which has its own rules to successfully exploit the vulnerability. We see value at considering the relation between the tokens that construct the worm sample. Polygraph shows that token-subsequence signatures are never worse than the conjunction signatures. That supports the idea that the appearance of tokens is related to its neighbor tokens. The most complex Bayesian model that has no independence assumption would consider the probability of all tokens to appear together in a given
Rule :
⎧ L (x ) = true ⎨ ⎩ L (x ) = false
, if
S≥E
, if
S
