Detect Polymorphic Worms Based on Semantic Signature and Data-Mining

Author

Wei, Wang ; Dai-sheng, Luo ; Jianmin, Zhang

Author_Institution

Inst. of Image Info., Sichuan Univ., Chengdu

fYear

2006

fDate

25-27 Oct. 2006

Firstpage

1

Lastpage

4

Abstract

In recent years, Internet worms increasingly threaten the Internet hosts and service and polymorphic worms can evade signature-based intrusion detection systems. In this paper, we propose new methods to detect polymorphic worms based on semantic signature and data-mining. Our main contributions of this work are as follows: (1) we propose a worm attack model - the OSJUMP model. (2) Based on the attack model, we analyse the feature of polymorphic worms and the feature of perfect ones. (3) We propose methods to detect worms through recognizing JUMP address based on data-mining such as Bayes and ANN. We evaluate some famous worm and polymorphic ones generated from them. The results show that the false negative and performance improved a lot compared to signature-based IDSs.

Keywords

Bayes methods; Internet; data mining; invasive software; neural nets; ANN; Bayes; Internet worms; JUMP address; OSJUMP model; data mining; polymorphic worms; semantic signature; signature-based intrusion detection systems; worm attack model; Buffer overflow; Cryptography; Databases; Engines; Intrusion detection; Payloads; Performance analysis; Protocols; Telecommunication traffic; Web and internet services;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications and Networking in China, 2006. ChinaCom '06. First International Conference on

Conference_Location

Beijing

Print_ISBN

1-4244-0463-0

Electronic_ISBN

1-4244-0463-0

Type

conf

DOI

10.1109/CHINACOM.2006.344904

Filename

4149869