UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

Autograph: toward automated, distributed worm signature detection

Kim, H-A; Karp, B; (2004) Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, August 9-13, 2004, San Diego, CA, USA. (pp. 271 - 286). USENIX Association: Berkeley, US.

Full text not available from this repository.

Abstract

Today's Internet intrustion detection systems (IDSes) monitor edge networks' DMZs to identify and/or filter malicious flows. While an IDS helps protect the hosts on its local edge network from compromise and denial of service, it cannot alone effectively intervene to halt and reverse the spreading of novel Internet worms. Generation of the worm signatures required by an IDS--the byte patterns sought in monitored traffic to identify worms--today entails non-trivial human labor, and thus significant delay: as network operators detect anomalous behavior, they communicate with one another and manually study packet traces to produce a worm signature. Yet intervention must occur early in an epidemic to halt a worm's spread. In this paper, we describe Autograph, a system that automatically generates signatures for novel Internet worms that propagate using TCP transport. Autograph generates signatures by analyzing the prevalence of portions of flow payloads, and thus uses no knowledge of protocol semantics above the TCP level. It is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives); our evaluation of the system on real DMZ traces validates that it achieves these goals. We extend Autograph to share port scan reports among distributed monitor instances, and using trace-driven simulation, demonstrate the value of this technique in speeding the generation of signatures for novel worms. Our results elucidate the fundamental trade-off between early generation of signatures for novel worms and the specificity of these generated signatures.

Type:Proceedings paper
Title:Autograph: toward automated, distributed worm signature detection
Publisher version:http://www.usenix.org/publications/library/proceedings/sec04/tech/
Keywords:worm, signature, generation, defense, security
UCL classification:UCL > School of BEAMS > Faculty of Engineering Science > Computer Science

Archive Staff Only: edit this record