A Signature Generation Approach Based on Clustering for Polymorphic Worm

  • Jie WangEmail author
  • Xiaoxian He
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9565)


To prevent worms from propagating rapidly, it is essential to generate worm signatures quickly and accurately. However, existing methods for generating worm signatures either cannot handle noise well or assume there is only one kind of worm sequence in the suspicious flow pool. We propose an approach based on seed extending signature generation (SESG) to generate polymorphic worm signatures from a suspicious flow pool which includes several kinds of worm and noise sequences. The proposed SESG algorithm computes the weight of every sequence, the sequences are queued based on their weight, and then classified. Worm signatures are then generated from the classified worm sequences. We compare SESG with other approaches. SESG can classify worm and noise sequences from a suspicious flow pool, and generate effective worm signatures more easily.


Signature generation Worm detection Seed-extending algorithm Polymorphic worm 



This work is supported by National Natural Science Foundation of China under Grant No.61202495.


  1. 1.
    Antonatos, S., Akritidis, P., Markatos, E.P., Anagnostakis, K.G.: Defending against hitlist worms using network address space randomization. Comput. Netw. 51(12), 3471–3490 (2007)CrossRefzbMATHGoogle Scholar
  2. 2.
    Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of ACM Conference on Computer and Communications Security (CCS 2012), New Carolina, pp. 833–844, October 2012Google Scholar
  3. 3.
    Sun, W.C., Chen, Y.M.: A rough set approach for automatic key attributes indentification of zero-day polymorphic worms. Expert Syst. Appl. 36(3), 4672–4679 (2009)CrossRefGoogle Scholar
  4. 4.
    Mohammed, M.M.Z.E., Chan, H.A., Ventura, N., Hashim, M., Bashier, E.: Fast and accurate detection for polymorphic worms. In: Proceedings of Internetional Conference for Internet Technology and Secured Transactions, pp. 1–6 (2010)Google Scholar
  5. 5.
    Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci, A.: Combining supervised and unsupervised learning for zero-day malware detection. In: Proceedings of 32nd Annual IEEE International Conference on Computer Communications (INFOCOM 2013), Turin, Italy, pp. 2022–2030, April 2013Google Scholar
  6. 6.
    Bayoglu, B., Sogukpinar, L.: Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw. 56(2), 832–844 (2012)CrossRefGoogle Scholar
  7. 7.
    Tang, Y., Xiao, B., Lu, X.: Signature tree generation for polymorphic worms. IEEE Trans. Comput. 60(4), 565–579 (2011)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Modi, C., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)CrossRefGoogle Scholar
  9. 9.
    Cai, M., Hwang, K., Pan, J., Christos, P.: WormShield: fast worm signature generation with distributed fingerprint aggregation. IEEE Trans. Dependable Secure Comput. 5(2), 88–104 (2007)CrossRefGoogle Scholar
  10. 10.
    Ranjan, S., Shah, S., Nucci, A., Munafo, M., Cruz, R., Muthukrishnan, S.: DoWitcher: effective worm detection and containment in the internet core. In: IEEE Infocom, Anchorage, Alaskapp, pp. 2541–2545 (2007)Google Scholar
  11. 11.
    Portokalidis, G., Bos, H.: SweetBait: zero-hour worm detection and containment using low- and high-interaction honeypots. Comput. Netw. 51(11), 1256–1274 (2007)CrossRefzbMATHGoogle Scholar
  12. 12.
    Yegneswaran, V., et al.: An architecture for generating semantics-aware signatures. In: Proceedings of the 14th conference on USENIX Security Symposium. USENIX Association, Berkeley (2005)Google Scholar
  13. 13.
    Newsome, J., Karp, B., Song, D.: Polygraph: automatically generation signatures for polymorphic worms. In: Proceedings of 2005 IEEE Symposium on Security and Privacy Symposium, Oakland, pp. 226–241 (2005)Google Scholar
  14. 14.
    Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of IEEE Symposium on Security and Privacy, Washington, DC, pp. 32–47 (2006)Google Scholar
  15. 15.
    Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: LISABETH: automatedcontent-based signature generator for zero-day polymorphic worms. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, Leipzig, pp. 41–48 (2008)Google Scholar
  16. 16.
    Bayoglu, B., Sogukpinar, L.: Polymorphic worm detection using token-pair signatures. In: Proceedings of the 4th International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Sorrento, Italy, pp. 7–12 (2008)Google Scholar
  17. 17.
    Wang, J., Wang, J.X., Chen, J.E., Zhang, X.: An automated signature generation approach for polymorphic worm based on color coding. J. Softw. 21(10), 2599–2609 (2010)Google Scholar
  18. 18.
    Tang, Y., Xiao, B., Lu, X.: Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. Comput. Secur. 288, 827–842 (2009)CrossRefGoogle Scholar
  19. 19.
    Tang, Y., Chen, S.: An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18, 879–892 (2007)CrossRefGoogle Scholar
  20. 20.
    Wang, J., Wang, J.X., Sheng, Y., Chen, J.E.: Novel approach based on neighborhood relation signature against polymorphic internet worms. J. Commun. 32(8), 150–158 (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Central South UniversityChangshaChina

Personalised recommendations