ASG Automated Signature Generation for Worm-Like P2P Traffic Patterns

Many P2P software have the similar communication patterns with computer worms, thus they will bring in false positives for behaviour based worm detection. Up to now, little work is done on the research of the similarities between communication patterns of worm and P2P software as well as how to eliminate the worm-like P2P traffic. Based on the analysis of popular P2P software used nowadays and the host process information, this paper presents ASG, which is a novel host based algorithm to generate signatures for worm-like P2P communication patterns. The contribution of our work lies in three aspects: a) Analyzing communication pattern similarities between P2P traffic and worm traffic through examples. b) Designing one practical and simple signature format for worm-like P2P traffic based on the host process information, c) Presenting automated signature generation (ASG) method to extract the signature of worm-like P2P traffic. Experiments with the popular used P2P software show that ASG can effectively extract the signature and reduce the false positives.