Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience

Feb 22, 2006

Abstract

Due to recording problems, video of this seminar will NOT be made available.

In this talk, we will first briefly introduce the High-Performance Network Anomaly/Intrusion Detection and Mitigation (HPNAIDM) system that is currently being developed in the Northwestern Lab of Internet and Security Technology (LIST) (http://list.cs.northwestern.edu), and then focus on one of its components, Hamsa, as described below. The paper on Hamsa will appear in the IEEE Syposium of Security and Privacy this year.

Zero-day polymorphic worms pose a serious potential threat to the security of Internet infrastructure. Given their exponentially increased propagation speed, it is crucial to detect them at routers/gateways in the early stages of infection. Most existing approaches for automatic signature generation are host-based and are not applicable for deploying on high-speed routers. In this talk, we propose Hamsa, a network-based automated signature generation system for polymorphic worms which is fast, noise tolerant, attack resilient, and capable of detecting multiple worm in a single
application protocol. Essentially, we propose a realistic model to analyze the invariant content of polymorphic worms which allows us to make analytical attack resilience guarantees for the signature generation algorithm. Evaluation based on a range of polymorphic worms and polymorphic engines demonstrates that Hamsa significantly outperforms recent work in terms of efficiency, accuracy, and attack resilience.