Network-based and attack-resilient length signature generation for zero-day polymorphic worms

Zhichun Li*, Lanjia Wang, Yan Chen, Zhi Fu

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

19 Scopus citations


It is crucial to detect zero-day polymorphic worms and to generate signatures at the edge network gateways or honeynets so that we can prevent the worms from propagating at their early phase. However, most existing network-based signatures generated are not vulnerability-based and can be easily evaded by attacks. In this paper, we propose generating vulnerability-based signatures on the network level without any host-level analysis of worm execution or vulnerable programs. As the first step, we design a network-based Length-based Signature Generator (LESG) for worms based on buffer overflow vulnerabilities1. The signatures generated are intrinsic to buffer overflows, and are very hard for attackers to evade. We further prove the attack resilience bounds even under worst case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching. Evaluation based on real-world vulnerabilities of various protocols and real network traffic demonstrates that LESG is promising in achieving these goals.

Original languageEnglish (US)
Title of host publicationProceedings - 15th IEEE International Conference on Network Protocols, ICNP 2007
Number of pages10
StatePublished - 2007
Event15th IEEE International Conference on Network Protocols, ICNP 2007 - Beijing, China
Duration: Oct 16 2007Oct 19 2007

Publication series

NameProceedings - International Conference on Network Protocols, ICNP
ISSN (Print)1092-1648


Other15th IEEE International Conference on Network Protocols, ICNP 2007

ASJC Scopus subject areas

  • Engineering(all)

Cite this