Analyzing Maximum Length of Instruction Sequence in Network Packets for Polymorphic Worm Detection

The importance of the method for finding out the worms that are made through the modification of parts of their original worms increases. It is difficult to detect these worms by comparing with the simple definition that past anti-virus software adapts. Moreover, if it is not an already-known worm, it is not possible to detect it. In this paper, we pay attention to the Toth et al.´s method to extract the executable code included in the dataflows on the network and detect the attack by measuring the length of them. The importance of the method for finding out the worms that are made through the modification of parts of their original worms increases. It is difficult to detect these worms by comparing with the simple definition that past anti-virus software adapts. Moreover, if it is not an already- known worm, it is not possible to detect it. In this paper, we pay attention to the Toth et al.´s method to extract the executable code included in the dataflows on the network and detect the attack by measuring the length of them. Then, we describe the problem of their method and how to solve it.Then, we describe the problem of their method and how to solve it.