Honeypot based signature generation for defense against polymorphic worm attacks in networks

With the growing sophistication of computer worms, information security has become a prime concern for individuals, community and organizations. Traditional signature based IDS, though effective for known attacks but failed to handle the unknown attack promptly. This paper describes a novel honeypot system which capture worm based on their characteristics of self replication. We introduce combination of unlimited and limited outbound connections to capture different payload of single or multiple worms. The proposed system isolate the suspicious traffic and able to effectively control the malicious traffic and capture most useful information regarding the worm´s activities, without attacker´s knowledge. Our system will be used for critical study of structure and behavior of most sophisticated worms and then forwards the necessary input to Signature Generation Module for automatically generating signature of unknown worms. Our attempt is to generate signature of unknown especially polymorphic worms with low false positive and high coverage. Our system is able to enhance the capability of IDS signature library and increases the probability of detecting most variant of unknown worms.