On the Convergence Rates of Learning-based Signature Generation Schemes to Contain Self-propagating Malware
This addresses the challenge of defending against fast-spreading malware for network security, but it appears incremental as it builds on existing security tools and learning schemes.
The paper tackles the problem of containing self-propagating malware like worms by modeling interactions between an attacker and a defender using learning-based signature generation from attack samples, with results evaluated through simulation and numerical analysis to assess efficacy in halting adversarial progress.
In this paper, we investigate the importance of a defense system's learning rates to fight against the self-propagating class of malware such as worms and bots. To this end, we introduce a new propagation model based on the interactions between an adversary (and its agents) who wishes to construct a zombie army of a specific size, and a defender taking advantage of standard security tools and technologies such as honeypots (HPs) and intrusion detection and prevention systems (IDPSes) in the network environment. As time goes on, the defender can incrementally learn from the collected/observed attack samples (e.g., malware payloads), and therefore being able to generate attack signatures. The generated signatures then are used for filtering next attack traffic and thus containing the attacker's progress in its malware propagation mission. Using simulation and numerical analysis, we evaluate the efficacy of signature generation algorithms and in general any learning-based scheme in bringing an adversary's maneuvering in the environment to a halt as an adversarial containment strategy.