Академический Документы
Профессиональный Документы
Культура Документы
1
A worm is a piece of software that uses computer networks and security
flaws to create copies of itself. A copy of the worm will scan the network for
any other machine that has a specific security flaw. It replicates itself to the
new machine using the security flaw, and then starts replicating. [1]
Metamorphic worms can’t be detected easily by these Thus, to represent the system behaviour-based signature,
systems because worm codes (i.e. content) may change we consider the following elements:
considerably (without changing the behaviour), contrarily to
monomorphic, oligomorphic and polymorphic worms where • Internal Ports sequence.
only the decryption function may change [2]. • System calls sequence.
Thus, to detect these kinds of worms, it will be more • Library links sequence.
judicious to look at the behaviour rather than at the content.
• Devices access sequence.
III. BEHAVIOUR-BASED SIGNATURES
• CPU profile.
In the context of this work, we define the notion of
behaviour-based signatures to represent the worm behaviour at • Memory consumption profile.
the network and system level. Thus, we decompose the
behaviour-based signature in two parts: the network-based • Length evolution of the worm (in the case of
signature and the system-based signature. zipped worms).
A. Network behaviour-based signature • Historic of the worm location in the file system.
The network behaviour-based signature defines the way a • Operating system of the source host.
worm propagates from a source to a destination by analyzing
In addition to these elements, we take into account the
the following network metrics:
address dispersion characteristic used by EarlyBird. However,
• IP address of the source. in our case, in addition to count the number of connexions (like
in Earlybird), we look at the IP generation strategy used by the
• Source port, destination port, protocol type (tcp, worm. All these elements can be measured by tools provided
udp…). by Solaris such as VMstat, MPstat, IOstat, Kstat [12].
• Number of packets. After having defined the behaviour-based signatures, we
• Length of the biggest packet. will now present our generator model of signatures.