Polymorphic worms detection using Extended PolyTree

  • Authors:

  • A. Uzma Jabrooth;B. Parvathavarthini

  • Affiliations:

  • St. Joseph's College of Engineering, Chennai, India;St. Joseph's College of Engineering, Chennai, India

  • Venue:
  • Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology
  • Year:
  • 2012

Quantified Score

Hi-index 0.00

Visualization

Abstract

Network worms are a clear and growing threat to the security of today's Internet-connected hosts and networks. One of the most common and effective ways to detect worm attacks is to implement a signature-based IDS. An IDS samples suspicious flow in the network with the goal of detecting previously encountered worms. The two significant drawbacks in these approaches are manual signature generation and lack of accurate signatures to detect polymorphic worms. This approach proposes a new Network Signature Generator (NSG), Extended PolyTree that automatically and quickly generates accurate signatures for worms, especially polymorphic worms. It is observed that signatures from worms and their variants are relevant and a tree structure can properly reflect their familial resemblance. Therefore, the signatures extracted from worm samples are organized into a tree structure called Signature Tree. This approach comprises of five phases namely, traffic data collection, SRE signature generation, signature tree generation, signature selection for IDS and worm detection & removal. Based on the suspicious traffic collected, SRE signatures are generated. These signatures are aligned in such a way that they represent their familial resemblance in the form of signature tree. From the generated most specific signatures, few signatures are selected and given to IDS for worm detection. The simulation analysis of this work shows the increase in time consumption to construct the tree and worm detection time. The accuracy in signature generation in this work is better than any existing system.