A Novel Signature Generation Approach for Polymorphic Worms

  • Jie WangEmail author
  • Xiaoxian He
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9530)


Because of complex polymorphism in worms and the disturbance of crafted noises, it becomes more difficult to generate signatures quickly and accurately. This paper proposes a neighbor relation signature (NRS) for polymorphic worms,which is a collection of distance frequency distributions between neighbor byte. Moreover, we propose a signature generation algorithm (NRS-CC) by combing NRS and color coding technique. NRS-CC selects sequences randomly from suspicious flow pool to generate neighbor relation signatures, and then uses color coding technique to get rid of noise disturbance. Extensive experiments are carried out to demonstrate the validity of our approach. The experiment results show that our approach can generate polymorphic signature more quickly compared with existing signature generate approaches when the suspicious flow pool contains noise sequences.


Signature generation Polymorphic worm Worm detection Intrusion detection Worm signature 



This work is supported by National Natural Science Foundation of China under Grant No.61202495 and No.61402542.


  1. 1.
    Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. IEEE Commun. Surv. Tutorials 16(3), 1520–1549 (2014)CrossRefGoogle Scholar
  2. 2.
    Bayoglu, B., Sogukpinar, L.: Graph based signature classes for detecting polymorphic worms via content analysis. Comput. Netw. 56(2), 832–844 (2012)CrossRefGoogle Scholar
  3. 3.
    Mohammed, M.M.Z.E., Chan, H.A., Ventura, N., Pathan, A.S.K.: An automated signature generation method for zero-day polymorphic worms based on multilayer perceptron model. In: Proceedings of 2013 International Conference on Advanced Computer Science Applications and Technologies (ACSAT), Kuching, pp. 450–455, December 2013Google Scholar
  4. 4.
    Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci, A.: Combining supervised and unsupervised learning for zero-day malware detection. In: Proceedings of 32nd Annual IEEE International Conference on Computer Communications (INFOCOM 2013), Turin, Italy, pp. 2022–2030, April 2013Google Scholar
  5. 5.
    Kaur, R., Singh, M.: Efficient hybrid technique for detecting zero-day polymorphic worms. In: Proceedings of 2014 IEEE International on Advance Computing Conference (IACC), pp. 95–100, February 2014Google Scholar
  6. 6.
    Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of 2006 IEEE Symposium on Security and Privacy, Atlanta, GA, USA, pp. 17–31 (2006)Google Scholar
  7. 7.
    Stephenson, B., Sikdar, B.: A quasi-species model for the propagation and containment of polymorphic worms. IEEE Trans. Comput. 58(9), 1289–1296 (2009)MathSciNetCrossRefGoogle Scholar
  8. 8.
    Talbi, M., Mejri, M., Bouhoula, A.: Specification and evaluation of polymorphic shellcode properties using a new temporal logic. J. Comput. Virol. 5(3), 171–186 (2009)CrossRefGoogle Scholar
  9. 9.
    Codi, M., Patel, D., Borisaniya, B., Patel, H., Patel, A., Rajarajan, M.: A survey of intrusion detection techniques in cloud. J. Netw. Comput. Appl. 36(1), 42–57 (2013)CrossRefGoogle Scholar
  10. 10.
    Ranjan, S., Shah, S., Nucci, A., Munafo, M., Cruz, R., Muthukrishnan, S.: DoWitcher: effective worm detection and containment in the internet core. In: IEEE Infocom, Anchorage, Alaska, pp. 2541–2545 (2007)Google Scholar
  11. 11.
    Cai, M., Hwang, K., Pan, J., Christos, P.: WormShield: fast worm signature generation with distributed fingerprint aggregation. IEEE Trans. Dependable Secure Comput. 5(2), 88–104 (2007)CrossRefGoogle Scholar
  12. 12.
    Newsome, J., Karp, B., Song, D.: Polygraph: automatically generation signatures for polymorphic worms. In: Proceedings of 2005 IEEE Symposium on Security and Privacy Symposium, Oakland, California, pp. 226–241 (2005)Google Scholar
  13. 13.
    Li, Z., Sanghi, M., Chen, Y., Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Proceedings of IEEE Symposium on Security and Privacy, Washington, DC, pp. 32–47 (2006)Google Scholar
  14. 14.
    Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: LISABETH: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, Leipzig, Germany, pp. 41–48 (2008)Google Scholar
  15. 15.
    Bayoglu, B., Sogukpinar, L.: Polymorphic worm detection using token-pair signatures. In: Proceedings of the 4th International Workshop on Security, Privacy and Trust in Pervasive and Ubiquitous Computing, Sorrento, Italy, pp. 7–12 (2008)Google Scholar
  16. 16.
    Tang, Y., Xiao, B., Lu, X.: Signature tree generation for polymorphic worms. IEEE Trans. Comput. 60(4), 565–579 (2011)MathSciNetCrossRefGoogle Scholar
  17. 17.
    Tang, Y., Chen, S.: An automated signature-based approach against polymorphic internet worms. IEEE Trans. Parallel Distrib. Syst. 18, 879–892 (2007)CrossRefGoogle Scholar
  18. 18.
    Wang, J., Wang, J.X., Chen, J.E., Zhang, X.: An automated signature generation approach for polymorphic worm based on color coding. In: IEEE ICC 2009, Dresden, Germany, pp. 1–6 (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.School of Information Science and EngineeringCentral South UniversityChangshaChina

Personalised recommendations