SAS: Semantics aware signature generation for polymorphic worm detection

Deguang Kong, Yoon Chan Jhi, Tao Gong, Sencun Zhu, Peng Liu, Hongsheng Xi

Research output: Contribution to journalArticlepeer-review

8 Scopus citations


String extraction and matching techniques have been widely used in generating signatures for worm detection, but how to generate effective worm signatures in an adversarial environment still remains a challenging problem. For example, attackers can freely manipulate byte distributions within the attack payloads and thus inject well-crafted noisy packets to contaminate the suspicious flow pool. To address these attacks, we propose SAS, a novel Semantics Aware Statistical algorithm for automatic signature generation. When SAS processes packets in a suspicious flow pool, it uses data flow analysis techniques to remove non-critical bytes. We then apply a hidden Markov model (HMM) to the refined data to generate state-transition-graph-based signatures. To our best knowledge, this is the first work combining semantic analysis with statistical analysis to automatically generate worm signatures. Our experiments show that the proposed technique can accurately detect worms with concise signatures. Moreover, our results indicate that SAS is more robust to the byte distribution changes and noise injection attacks compared to Polygraph and Hamsa.

Original languageEnglish (US)
Pages (from-to)269-283
Number of pages15
JournalInternational Journal of Information Security
Issue number5
StatePublished - Oct 2011

All Science Journal Classification (ASJC) codes

  • Software
  • Information Systems
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'SAS: Semantics aware signature generation for polymorphic worm detection'. Together they form a unique fingerprint.

Cite this