Polymorphic worm detection using token-pair signatures

Abstract

A worm is a self-replicating computer program which does not need neither to attach itself to an existing program nor require user intervention unlike viruses. Worms exploit operating system and application software vulnerabilities to infect the systems. Polymorphic code itself is the art of developing code that mutates at each copy while keeping the original algorithm unchanged. By the way, a polymorphic worm changes its pattern each time it sends a copy to another system. Thereby this avoids detection by simple signature matching techniques. On the other hand, there is still some part of code that remains unchanged. In this work, we propose Token-Pair Conjunction and Token-Pair Subsequence signatures for detecting polymorphic worm threats. Experiments of the proposed model were performed using two real polymorphic worms. Experiment results show that the proposed signature schema have low false negatives and false positives. Copyright 2008 ACM. © 2009 Elsevier B.V., All rights reserved.