worm blog: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic

« Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm | Main | Detecting Worm Propagation Using Traffic Concentration Analysis and Inductive Learning »

Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic

I like this paper a lot, it provides a rigorous treatment of a theoretical future many "worst case scenario" worm paper authors have proposed.

Normal traffic can provide worms with a very good source of information to camouflage themselves. In this paper, we explore the concept of polymorphic worms that mutate based on normal traffic. We assume that a worm has already penetrated a system and is trying to hide its presence and propagation attempts from an IDS.We focus on stealthy worms that cannot be reliably detected by increases in traffic because of their low propagation factor.We first give an example of a simple polymorphic worm. Such worms can evade a signature-based IDS but not necessarily an anomaly-based IDS. We then show that it is feasible for an advanced polymorphic worm to gather a normal traffic profile and use it to evade an anomaly-based IDS.We tested the advanced worm implementation with three anomaly IDS approaches: NETAD, PAYL and Service-specific IDS. None of the three IDS approaches were able to detect the worm reliably. We found that the mutated worm can also evade other detection methods, such as the Abstract Payload Execution.
The goal of this paper is to advance the science of IDS by analyzing techniques polymorphic worms can use to hide themselves. While future work is needed to present a complete solution, our analysis can be used in designing possible defenses. By showing that polymorphic worms are a practical threat, we hope to stimulate further research to improve existing IDS.

Source: Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic, Oleg Kolesnikov, and Wenke Lee.

September 7, 2005 in detection, ids, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit

Comments

It seems to be a repeat of a link you posted in January:

http://www.wormblog.com/2005/01/polymorphic_wor.html

Posted by: Justin Ma | Sep 7, 2005 10:59:52 PM

Subject Line: Beat Long Poll Lines with Absentee Ballots from StateDemocracy.org
Many state and local election officials are encouraging voters to use Absentee Ballots to avoid the long lines and delays expected at the polls on November 4th due to the record-breaking surge in newly registered voters.
Voters in most states still have time to obtain an Absentee Ballot by simply downloading an official application form available through www.StateDemocracy.org, a completely FREE public service from the nonprofit State Democracy Foundation.
Read More: http://us-2008-election.blogspot.com/2008/10/beat-long-poll-lines-with-absentee.html

Posted by: james | Oct 27, 2008 3:27:27 AM

The comments to this entry are closed.