• Corpus ID: 141466221

On the Convergence Rates of Learning-based Signature Generation Schemes to Contain Self-propagating Malware

  title={On the Convergence Rates of Learning-based Signature Generation Schemes to Contain Self-propagating Malware},
  author={Saeed Valizadeh and Marten van Dijk},
In this paper, we investigate the importance of a defense system's learning rates to fight against the self-propagating class of malware such as worms and bots. To this end, we introduce a new propagation model based on the interactions between an adversary (and its agents) who wishes to construct a zombie army of a specific size, and a defender taking advantage of standard security tools and technologies such as honeypots (HPs) and intrusion detection and prevention systems (IDPSes) in the… 
Cybersecurity Games: Mathematical Approaches for Cyber Attack and Defense Modeling
This dissertation presents a Markov-based general framework to model the Mohammad H. Valizadeh security games and introduces the notion of learning in cybersecurity games and describes a general “game of consequences” meaning that each player’s chances of making a progressive move in the game depend on its previous actions.


Thwarting zero-day polymorphic worms with network-level length-based signature generation
Evaluation based on real-world vulnerabilities of various protocols and real network traffic demonstrates that LESG is promising in achieving these goals and proves the attack resilience bounds even under worst-case attacks with deliberate noise injection.
Catch Me, If You Can: Evading Network Signatures with Web-based Polymorphic Worms
It is shown how a different class of worms, namely those based on web vulnerabilities and scripting languages, can be much harder to detect than "traditional" polymorphic worms.
Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience
Hamsa is proposed, a network-based automated signature generation system for polymorphic worms which is fast, noise-tolerant and attack-resilient, and significantly outperforms Polygraph in terms of efficiency, accuracy, and attack resilience.
Survey on malware evasion techniques: State of the art and challenges
A survey on the various techniques employed in malware to evade detection by security systems such as intrusion detection and anti-virus software, which includes obfuscation, fragmentation and session splicing, application specific violations, protocol violations, and code reuse attacks.
Polymorphic Blending Attacks
This paper introduces a new class of polymorphic attacks, called polymorphic blending attacks, that can effectively evade byte frequency-based network anomaly IDS by carefully matching the statistics of the mutated attack instances to the normal profiles.
A survey of internet worm detection and containment
The current methods used to slow down or stop the spread of worms are explored and the remaining challenges of worm detection and future research directions are pointed out.
Autograph: Toward Automated, Distributed Worm Signature Detection
Autograph is described, a system that automatically generates signatures for novel Internet worms that propagate using TCP transport that is designed to produce signatures that exhibit high sensitivity (high true positives) and high specificity (low false positives).
Limits of Learning-based Signature Generation with Adversaries
This paper forms a framework that allows a unified analysis of pattern-extraction algorithms for signaturegeneration in an adversarial setting, and proves lower bounds on the number of mistakes any patternextraction learning algorithmmust make under common assumptions, by showing how to adapt results from learning theory.
Paragraph: Thwarting Signature Learning by Training Maliciously
It is shown that even a delusive adversary, whose samples are all correctly labeled, can obstruct learning, and practical attacks against learning are described, in which an adversary constructs labeled samples that prevent or severely delay generation of an accurate classifier.
Automated Worm Fingerprinting
The initial experience suggests that, for a wide range of network pathogens, it may be practical to construct fully automated defenses - even against so-called "zero-day" epidemics.