A Worm Detection System Based on Deep Learning

Hanxun Zhou,Wei Guo,Cliff C Zou,Hong Pan,Xinlin Yang,Yeshuai Hu

doi:10.1109/access.2020.3023434

Abstract

In today's cyber world, worms pose a great threat to the global network infrastructure. In this paper, we propose a worm detection system based on deep learning. It includes two main modules: one worm detection module based on a convolutional neural network (CNN) and one automatic worm signature generation module based on a deep neural network (DNN). In the CNN-based worm detection module, we propose three kinds of data preprocessing methods: frequency processing, frequency weighted processing, and difference processing, and use CNN to train the model for worm detection. In the DNN-based worm signature generation module, there are two phrase: DNN is firstly utilized for training the model with worm payloads and their corresponding signatures as input in the training phrase. After worm payloads are fed into the trained DNN model in the test phrase, worm signatures are generated by our proposed Signature Beam Search algorithm. In the experiment, we firstly analyzed the impact of different data preprocessing methods and the number of convolution-pooling layers in the CNN model on the worm detection performance. Then we analyzed the effects of different signatures in the DNN algorithm on the automatic generation of worm signatures. Experiments show that the generated signatures have a good detection performance.

Highlights

Cyber threats from Internet worms are not new, but how to effectively detect and defend against them still remains an ongoing challenge
We propose a novel worm detection system based on deep learning, which can detect worms accurately and generate worm signatures automatically
We used three synthetic worm payload datasets which are presented by Polygraph: Apache-Knacker [25], Algorithm 4 Signature Beam Search Algorithm Input: a, K ; a represents the worm payload, K represents the size of beam Output: sig; sig represents the N ×K dimensional signature Initialize: sig[0][K ] = {} for i = 1, . . . N do for k = 1, . . . K do bpredict = {b1, b2,. . . , bV } = dnn(bi+1, a, bc) for v = 1, . . . V do if b−i1−index == b−i−index +1 sig[i][k]= bi+1 break Else continue End end for if v == V sig[i][k] = ’u’ End end for end for return sig ATPhttpd [26], and TSIG [27]