Graph based signature classes for detecting polymorphic worms via content analysis

Malicious softwares such as trojans, viruses, or worms can cause serious damage for information systems by exploiting operating system and application software vulnerabilities. Worms constitute a significant proportion of overall malicious software and infect a large number of systems in very short periods. Polymorphic worms combine polymorphism techniques with self-replicating and fast-spreading characteristics of worms. Each copy of a polymorphic worm has a different pattern so it is not effective to use simple signature matching techniques. In this work, we propose a graph based classification framework of content based polymorphic worm signatures. This framework aims to guide researchers to propose new polymorphic worm signature schemes. We also propose a new polymorphic worm signature scheme, Conjunction of Combinational Motifs (CCM), based on the defined framework. CCM utilizes common substrings of polymorphic worm copies and also the relation between those substrings through dependency analysis. CCM is resilient to new versions of a polymorphic worm. CCM also automatically generates signatures for new versions of a polymorphic worm, triggered by partial signature matches. Experimental results support that CCM has good flow evaluation time performance with low false positives and low false negatives.