ERASER : evasion resistant signature extractor for worms

Abstract

In this thesis, we describe Evasion-Resistant Automated Signature ExtractoR (ERASER), a novel method for extracting content-based worm signatures in an evasion-resistant fashion. Despite much progress on content-based worm signature extraction, several recent studies show that evasive worms can easily render existing methods ineffective (i.e., cause them to miss almost 100% of worm instances, or raise their false positive ratio to intolerable levels) by polymorphising the worm payloads or by poisoning network traffic with carefully crafted, misleading patterns. The evasive attacks by polymorphisation include: Red herring attacks, Correlated Outlier Attacks and AZ attacks. ERASER achieves evasion resistance by exploiting two novel ideas: (i) domainspecific feature selection, which focuses on "smoking gun" features characteristic of worms, i.e., substrings that are invariant across different worm instances and rarely appear in normal traffic, (ii) adversary-aware signature learning, which forces each "successful" evasion to reveal a significant amount of information about the true invariant signatures. ERASER is provably evasion-resistant even in the presence of multiple colluding worms. We develop a prototype system of ERASER and evaluate its performance using both real and synthetic worm payloads combined with a large amount of real Internet traffic data collected at a tier-1 ISP and an edge network. Our results show that ERASER is highly accurate in the presence of a broad range of evasion attacks.