Honeypot-based signature generation for polymorphic worms

Abstract

With the growing sophistication of computer worms, information security has become a prime concern for individuals, community and organizations. Traditional signature based IDS, though effective for known attacks but failed to handle the unknown attack promptly. This paper describes a novel honeypot system which isolates the suspicious traffic from normal traffic, and capture most useful information regarding the worm's activities, without attacker's knowledge. Our system will be used for critical study of structure and behavior of most sophisticated worms and then forwards the necessary input to Signature Generation Module for automatically generating signature of unknown polymorphic worms. Our attempt is to analyze the invariant content of polymorphic worms and using a probabilistic approach we compute the signature of worm with low false positive. Evaluation based on synthetically generated polymorphic worms demonstrate that our system is able to enhance the capability of IDS signature library and increases the probability of detecting polymorphic worms with efficiency, accuracy.