A New Attempt to Detect Polymorphic Worms Based on Semantic Signature and Data-Mining

Author

Wei Wang ; Dai-Sheng Luo

Author_Institution

Sichuan Univ., Chengdu

fYear

2006

fDate

25-27 Oct. 2006

Firstpage

1

Lastpage

3

Abstract

In recent years, Internet worms increasingly threaten the Internet hosts and service and polymorphic worms can evade signature-based intrusion detection systems. In this paper, we propose new methods to detect polymorphic worms based on semantic signature and data-mining. Our main contributions of this work are as follows: (1) we propose a worm attack model - the OSJUMP model. (2) Based on the attack model, we analyze the feature of polymorphic worms and the feature of perfect ones. (3) We propose methods to detect worms by recognizing the JUMP address based on data-mining such as Bayes and ANN. We evaluate some famous worm and polymorphic ones generated from them, the results show that the false negative and performance improved a lot compared to signature-based IDSes.

Keywords

Bayes methods; Internet; data mining; invasive software; neural nets; ANN; Bayes; Internet worms; JUMP address; OSJUMP model; data-mining; polymorphic worm detection; semantic signature; signature-based intrusion detection systems; worm attack model; Buffer overflow; Cryptography; Databases; Engines; Intrusion detection; Payloads; Performance analysis; Predictive models; Telecommunication traffic; Web and internet services;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications and Networking in China, 2006. ChinaCom '06. First International Conference on

Conference_Location

Beijing

Print_ISBN

1-4244-0463-0

Electronic_ISBN

1-4244-0463-0

Type

conf

DOI

10.1109/CHINACOM.2006.344872

Filename

4149837