PolyI-D: Polymorphic Worm Detection Based on Instruction Distribution

  • Ki Hun Lee
  • Yuna Kim
  • Sung Je Hong
  • Jong Kim
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4298)


With lack of diversity in platforms and softwares running in Internet-attached hosts, Internet worms can spread all over the world in just a few minutes. Many researchers suggest the signature-based Network Intrusion Detection System(NIDS) to defend the network against it. However, the polymorphic worm evolved from the traditional Internet worm was devised to evade signature-based detection schemes, which actually makes NIDS useless. Some schemes are proposed for detecting it, but they have some shortcomings such as belated detection and huge overhead.

In this paper, we propose a new system, called PolyI-D, that detects the polymorphic worm through some tests based on instruction distribution in real-time with little overhead. This is particularly suitable even for fast spread and continuously mutated worms.


Executable Code Worm Propagation USENIX Security Symposium Internet Worm False Positive Alarm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    DeTristan, T., Ulenspiegel, T., Malcom, Y., Underduk, M.V.: Polymorphic shellcode engine using spectrum analysis (2003),
  2. 2.
    Macaulay, S.: Admmutate: Polymorphic shellcode engine (2001),
  3. 3.
    Kolesnikov, M., Lee, W.: Advanced polymorphic worms: evading ids by blending in with normal traffic. Technical report, Georgia Tech College of Computing (2004)Google Scholar
  4. 4.
    Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, Berkeley, CA, USA, pp. 149–167. USENIX Association (2002)Google Scholar
  5. 5.
    Zou, C.C., Gong, W., Towsley, D.: Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on Computer and Communications Security (CCS), Washington, DC, USA, pp. 138–147. ACM Press, New York (2002)CrossRefGoogle Scholar
  6. 6.
    Venkataraman, S., Song, D., Gibbons, P., Blum, A.: New streaming algorithms for fast detection of superspreaders. In: Network and Distributied System Symposium (NDSS) (2005)Google Scholar
  7. 7.
    Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium (2004)Google Scholar
  8. 8.
    Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D.: The internet motion sensor: a distributed blackhole monitoring system. In: Network and Distributed System Symposium (NDSS) (2005)Google Scholar
  9. 9.
    Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levin, J., Owen, H.: Honeystat: local worm detection using honeypots. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 39–58. Springer, Heidelberg (2004)Google Scholar
  10. 10.
    Williamson, M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC), Washington, DC, USA, p. 61. IEEE Computer Society Press, Los Alamitos (2002)CrossRefGoogle Scholar
  11. 11.
    Moore, D., Shannon, C., Voelker, G., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of annual joint conference of the IEEE Computer and Communications Societies (INFOCOM), San Fancisco, CA, IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  12. 12.
    Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceeding of 6th symposium on Operating System Design and Implementation (OSDI) (2004)Google Scholar
  13. 13.
    Kim, H.A., Autograph, B.K.: Autograph: Toward automated, distributed worm signature detection. In: Proceeding of 13th USENIX Security Symposium (2004)Google Scholar
  14. 14.
    Stampf, N.: Worms of the future: trying to exorcise the worst (2003)Google Scholar
  15. 15.
    Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. In: Proceedings of the 12th USENIX Security Symposium (2003)Google Scholar
  16. 16.
    Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: 2005 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2005)Google Scholar
  17. 17.
    Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic worm detection using structural information of executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, Springer, Heidelberg (2006)CrossRefGoogle Scholar
  18. 18.
    Akritidis, P., Markatos, E.P., Polychronakis, M., Anagnostakis, K.: Stride: Polymorphic sled detection through instruction sequence analysis. In: 20th IFIP International Information Security Conference. IFIP TC11 20th International Information Security Conference, May 30 – June 1, 2005. IFIP International Federation for Information Processing, vol. 181, Springer, Boston (2005)Google Scholar
  19. 19.
    One, A.: Smashing the stack for fun and profit (1996),

Copyright information

© Springer Berlin Heidelberg 2007

Authors and Affiliations

  • Ki Hun Lee
    • 1
  • Yuna Kim
    • 1
  • Sung Je Hong
    • 1
  • Jong Kim
    • 1
  1. 1.Department of Computer Science and Engineering, Pohang University of Science and Technology(POSTECH), San-31, Hyoja-dong, PohangKorea

Personalised recommendations