vEye: behavioral footprinting for self-propagating worm detection and profiling

With unprecedented speed, virulence, and sophistication, self-propagating worms remain as one of the most severe threats to information systems and Internet in general. In order to mitigate the threat, efficient mechanisms are needed to accurately profile and detect the worms before or during their outbreaks. Particularly, deriving a worm's unique signatures, or fingerprints, is of the first priority to achieve this goal. One of the most popular approaches is to use content-based signatures, which characterize a worm by extracting its unique information payload. In practice, such content-based signatures, unfortunately, suffer from numerous disadvantages, such as vulnerable to content mutation attacks or not applicable for polymorphic worms. In this paper, we propose a new behavioral footprinting (BF) approach that nicely complements the state-of-the-art content-based signature approaches and allows users to detect and profile self-propagating worms from the unique worm behavioral perspective. More specifically, our behavioral footprinting method uniquely captures a worm's dynamic infection sequences (e.g., probing, exploitation, and replication) by modeling each interaction step as a behavior phenotype and denoting a complete infection process as a chained sequence. We argue that a self-propagating worm's inherent behaviors or infection patterns can be detected and characterized by using sequence alignment tools, where patterns shared by the infection sequences will imply the behavioral footprints of the worm. A systematic platform called vEye has been built to validate the proposed design with either live or historical worms, where a number of real-world infection sequences are used to build worm behavioral footprints. Experimental comparisons with existing content-based fingerprints will demonstrate the uniqueness and effectiveness of the proposed behavior footprints in self-propagating worm detection and profiling.