SISG: self‐immune automated signature generation for polymorphic worms
ISSN: 0332-1649
Article publication date: 9 March 2010
Abstract
Purpose
The purpose of this paper is to propose a self‐immune automated signature generation (SISG) for polymorphic worms which is able to work well, even while being attacked by any types of malicious adversary and produces global‐suited signatures other than local‐suited signatures for its distributed architecture. Through experimentations, the method is thereafter evaluated.
Design/methodology/approach
The ideal worm signature exist in each copy of the corresponding worm, but never in other worm categories and normal network traffic. SISG compares each worm copy and extract the same components, then produces the worm signature from the components which must achieve low‐false positive and low‐false negative. SISG is immune from the most attacks by filtering the harmful noise made by malicious adversaries before signature generation.
Findings
NOP sled, worm body and descriptor are not good to be signature because they can be confused intricately by polymorphic engines. Protocol frames may not suit to be signature for the anti‐automated signature generation attacks. Exploit bytes is the essential part of an ideal worm signature and it can be extracted by SISG exactly.
Originality/value
The paper proposes a SISG for polymorphic worms which is able to work well even while being attacked by any types of malicious adversary and produces global‐suited signatures other than local‐suited signatures for its distributed architecture.
Keywords
Citation
Xiaosong, Z., Ting, C., Dapeng, C. and Zhi, L. (2010), "SISG: self‐immune automated signature generation for polymorphic worms", COMPEL - The international journal for computation and mathematics in electrical and electronic engineering, Vol. 29 No. 2, pp. 445-467. https://doi.org/10.1108/03321641011014913
Publisher
:Emerald Group Publishing Limited
Copyright © 2010, Emerald Group Publishing Limited