Automatic Signature Generation Technology Based Sequence Alignment For Zero-day Polymorphic Worms

The most popular and effective exploit defense approach is signature-based detection system, such as IDS/ IPS, firewall and so on, and the performance of this system depends on the quality and quantity of signature. As the polymorphic technology is applied widely, the ability of infecting for worms is getting stronger and stronger, especially at the beginning, the speed of reproducing closes to exponential type. Therefore, it is crucial to extract signatures quickly and effectively for defending polymorphic worms during the starting period of worms'spreading. Traditionally, the signature is generated manually by security experts after a worm has already attacked system and caused damages, which is very difficult to prevent the system from dangers. The automatic signature generation method, that is a hot topic and challenge in research area of network safety, can work well and generate signature quickly without man's help, accordingly, the study has very crucial application value and scientific value. Enlightened by the knowledge of Sequence Alignment in biology, the paper studies the automatic signature generation methods for Zero-day polymorphic worms thoroughly from the aspect of exploit-based schemes. We mainly have done some research in this paper as following.1. Combine with the structure characters of polymorphic worms, the paper analyzes their invariant content segments, summarizes the automatic signature generation methods nowadays and also studies their characteristics respectively.2. The study of collecting model of attack data on the basis of signature generation. Since the precise sample data is the generation methods' precondition and foundation, to start with the scanning character of polymorphic worms, the paper adapts the method of data purifying based on white name and IP address discrete entropy to denote the data stream of polymorphic worms, at the same time, making use of clustering method to classify the mix attack data in order to produce attack cluster from the perspective of the communication characteristics of polymorphic worms, which can be used for generating signatures later.3. From the angle of bioinformatics, after studying the theory of Sequence Alignment and the character of polymorphic worms, the paper proposes a new automatic signature generation method for Zero-day polymorphic worms based Two-stage Multiple Sequence Alignment algorithm, aiming to the shortage of local effective signature losses during the process of using Needleman-Wunsch algorithm and considering the characteristics of polymorphic worms. The sequence of polymorphic worm sample is aligned with each other by the proposed TsMSA algorithm, and then, this method identifies conservative signature segments, and changes it into standard IDS rules for subsequent defending. Experiment results indicate that the automatic signature generation method for Zero-day polymorphic worms based TsMSA algorithm can improve the quality of worms'signature highly, and exhibit low false positives, what's more, it also bears perfect performance of noise-tolerance for random noise data.