An Emulation-based Detection System for Detecting Polymorphic Network Worms-Using WLAN as A Case Study

• Main Authors: Chiang Huang, 黃強
• Other Authors: Chi-Chun Lo
• Format: Others
• Language: zh-TW
• Published: 2008
• Online Access: http://ndltd.ncl.edu.tw/handle/91052046726627666219

碩士 === 國立交通大學 === 資訊管理研究所 === 96 === A polymorphic worm detection approach using WLAN as a case study was proposed in this research. The platform issues profoundly affect worm attack, and nowadays real network worms primary targets at in Intel Architecture 32-bit platforms. To solve real problems, this research mainly concentrates on X86 IA32 platform. In current approaches, the speed of substring-signature-based detection is the fastest, but improvement of the false positive ratio still required. Static analysis signature system has a major problem with run-time code obfuscation, and Virtual machine Honeypot-based detection has traffic redirection problem. Thus, this research proposed novel approach to detect polymorphic network worms for defeating those weaknesses as previously mentioned. The objective of this research is to design an approach as follow: First, checking the signature of polymorphic decoder, find the entry point of decoder. Second, execute decoder and reform original worm attack payload. Third, according to attack payload execution behavior, the system discovered whether exists system call for networking usage. The approach proposed by this research has effectively eliminated high false positive. The conclusion as follows: (1) the false positive ration has reduced about average 15% comparing with existing signature system Polygraph in the best case. (2)Scanning packet for detecting decoder signature is recommended above MTU 512 bytes. (3)Filtering executable file in the network traffic effectively reduce 25% false positive than unfiltered. (4)The proposed system worked properly under packet fragmentation attack.