Anomalous Payload-Based Worm Detection and Signature Generation

Wang, Ke; Cretu, Gabriela F.; Stolfo, Salvatore

New features of the PAYL anomalous payload detection sensor are demonstrated to accurately detect and generate signatures for zero-day worms. Experimental evidence demonstrates that site-specific packet content models are capable of detecting new worms with high accuracy in a collaborative security system. A new approach is proposed that correlates ingress/egress payload alerts to identify the worm's initial propagation. The method also enables automatic signature generation that can be deployed immediately to network firewalls and content filters to proactively protect other hosts. We also propose a collaborative privacy-preserving security strategy whereby different hosts can exchange PAYL signatures to increase accuracy and mitigate against false positives. The important principle demonstrated is that correlating multiple alerts identifies true positives from the set of anomaly alerts and reduces incorrect decisions producing accurate mitigation.



Also Published In

More About This Work

Academic Units
Computer Science
Published Here
April 30, 2010


Recent advances in intrusion detection: 8th international symposium, RAID 2005, Seattle, WA., USA, September 7-9, 2005: revised papers, Lecture Notes in Computer Science, vol. 3858 (New York: Springer, 2006), pp. 227-246.