PolyS: Network-based Signature Generation for Zero-day Polymorphic Worms

Abstract

With growing sophistication of computer worms, it is very important to detect and prevent the worms quickly and accurately at their early phase of infection. Traditional signature based IDS, though effective for known attacks but failed to handle the zero-day attack promptly. Recent works on polymorphic worms does not guarantee accurate signature in presence of noise in suspicious flow samples. In this paper we propose PolyS, an improved version of Hamsa, a network based automated signature generation scheme to thwart zeroday polymorphic worms. We contribute a novel architecture that reduces the noise in suspicious traffic pool, thus enhancing the accuracy of worm’s signature. Also we propose a signature generation algorithm for successfully matching polymorphic worm payload with higher speed and memory efficiency. Analysis shows that our system is fast, accurate, attackresilient and capable of generating quality signature with low false positive and false negative.