Design and evaluation of a system for network threat signatures generation

The paper addresses a problem of cybersecurity that plays the strategic role in modern computer networks. The attention is focused on the usage of pre-generated signatures to detect malicious content in network traffic. Given the rapid propagation of computer threats, it is crucial to detect them in early stage of an infection. Therefore, the main challenge is to design and develop efficient mechanisms for generation of their signatures. Nowadays, manually generated signatures of computer worms are commonly used for identifying malicious activity in the networks. Creation of such signatures often requires hours or even days of work, while the time limit for signatures generation for active worms is measured in minutes, at the most. Thus, attack trends change very fast, making it impossible to keep up with manual signature engineering and an automatic generation of signatures seems to be the only reasonable solution. In this paper, we investigate a problem of automatic generation of signatures of zero-day polymorphic worms. We developed an efficient algorithm for token extraction and a novel method for automatic multi-token signature composition. Our method employs a genetic algorithm to produce signatures accurately matching network worms. We designed and developed a framework for offline generation of signatures implementing our method. The efficiency and utility of the system was verified through simulation. The test cases were carried out on data combining real flows and synthetic flows imitating real malicious Internet traffic. The results of experiments performed for selected polymorphic worms demonstrate that our framework may be successfully used to create the high quality signatures in a reasonable time.