1st International ICST Conference on Communications and Networking in China

Research Article

A New Attempt to Detect Polymorphic Worms Based on Semantic Signature and Data-Mining

  • @INPROCEEDINGS{10.1109/CHINACOM.2006.344872,
        author={Wei  Wang and Dai-sheng  Luo and Zhaobiao  Lu},
        title={A New Attempt to Detect Polymorphic Worms Based on Semantic Signature and Data-Mining},
        proceedings={1st International ICST Conference on Communications and Networking in China},
        publisher={IEEE},
        proceedings_a={CHINACOM},
        year={2007},
        month={4},
        keywords={},
        doi={10.1109/CHINACOM.2006.344872}
    }
    
  • Wei Wang
    Dai-sheng Luo
    Zhaobiao Lu
    Year: 2007
    A New Attempt to Detect Polymorphic Worms Based on Semantic Signature and Data-Mining
    CHINACOM
    IEEE
    DOI: 10.1109/CHINACOM.2006.344872
Wei Wang1, Dai-sheng Luo1, Zhaobiao Lu2
  • 1: Sichuan University, China
  • 2: Beijing Telecom Planning & Designing Institute, China

Abstract

In recent years, Internet worms increasingly threaten the Internet hosts and service and polymorphic worms can evade signature-based intrusion detection systems. In this paper, we propose new methods to detect polymorphic worms based on semantic signature and data-mining. Our main contributions of this work are as follows: (1) we propose a worm attack model - the OSJUMP model. (2) Based on the attack model, we analyze the feature of polymorphic worms and the feature of perfect ones. (3) We propose methods to detect worms by recognizing the JUMP address based on data-mining such as Bayes and ANN. We evaluate some famous worm and polymorphic ones generated from them, the results show that the false negative and performance improved a lot compared to signature-based IDSes.