Anomalous Payload-Based Worm Detection and Signature Generation
New features of the PAYL anomalous payload detection sensor are demonstrated to accurately detect and generate signatures for zero-day worms. Experimental evidence demonstrates that site-specific packet content models are capable of detecting new worms with high accuracy in a collaborative security system. A new approach is proposed that correlates ingress/egress payload alerts to identify the worm's initial propagation. The method also enables automatic signature generation that can be deployed immediately to network firewalls and content filters to proactively protect other hosts. We also propose a collaborative privacy-preserving security strategy whereby different hosts can exchange PAYL signatures to increase accuracy and mitigate against false positives. The important principle demonstrated is that correlating multiple alerts identifies true positives from the set of anomaly alerts and reduces incorrect decisions producing accurate mitigation.
- raid-camerav.pdf application/pdf 279 KB Download File
Also Published In
More About This Work
- Academic Units
- Computer Science
- Published Here
- April 30, 2010
Recent advances in intrusion detection: 8th international symposium, RAID 2005, Seattle, WA., USA, September 7-9, 2005: revised papers, Lecture Notes in Computer Science, vol. 3858 (New York: Springer, 2006), pp. 227-246.