Investigations of automatic methods for detecting the polymorphic worms signatures

• An Enhanced Contiguous Substring Rewarded (ECSR) algorithm is developed.
• The signature can produce a loss of vital information such as ignoring one byte token.
• The SRE needs to be updated and accurate when compared with autograph and polygraph methods.

This paper investigates the current automatics methods used to generate efficient and accurate signatures to create countermeasures against attacks by polymorphic worms. These strategies include autograph, polygraph and Simplified Regular Expression (SRE). They rely on network-based signature detection and filtering content network traffic, as the signature generated by these methods can be read by Intrusion Prevention systems and firewalls. In this paper, we also present the architecture and evaluation of each method, and the implementation used as patterns by SRE mechanism to extract accurate signatures. Such implementation was accomplished through use of the Needleman–Wunsch algorithm, which was inadequate to manage the invariant parts and distances restrictions of the polymorphic worm. Consequently, an Enhanced Contiguous Substring Rewarded (ECSR) algorithm is developed to improve the result extraction from the Needleman–Wunsch algorithm and generate accurate signatures. The signature generation by SRE is found to be more accurate and efficient as it preserves all the important features of polymorphic worms. The evaluation results show that the signature contains conjunctions of tokens, or token subsequence can produce a loss of vital information such as ignoring one byte token or neglecting the restriction distances. Furthermore, the Simplified Regular Expression needs to be updated and accurate when compared with autograph and polygraph methods.