This chapter proposes a novel worm signature that is appropriate for the polymorphic worm detection. Most of the recent worm signatures are constructed based on worm bytes themselves or relationships between worm bytes. In this case, most of these signatures cannot detect the polymorphic worms successfully. Our worm signature takes the worm bytes themselves and the relationships between worm bytes into consideration. So, it is called position-relation signature (PRS). The new signature is capable of handling certain polymorphic worms. The experiments show that the algorithm could be used as a basis to implement a worm detection system.
展开▼
