Polymorphic worms signature extraction based-on improved ant colony algorithm

Polymorphic worm signature extraction is a critical part of signature-based intrusion detection. Since the classical Hierarchical Multi-Sequence Alignment(HMSA) algorithm has bad time performance in extracting signatures when multiple sequences alignment was used and the extracted signatures were not precise enough, a new method called antMSA was proposed base on the improved ant optimal algorithm. The search strategy of the ant group was improved and introduced to the Contiguous Matches Encouraging Needleman-Wunsch(CMENW) algorithm to get a better solution quickly in global range by using the rapid convergence ability of the ant colony algorithm. The signature fragments were extracted and converted into the standard rules of the intrusion detection systems for subsequence defense. The experimental results show that the new method solves the stagnation problems of the classical ant optimal algorithm, and reduces the false positive rate and the false negative rate.