Thwarting zero-day polymorphic worms with network-level length-based signature generation

Lanjia Wang*, Zhichun Li, Yan Chen, Zhi Judy Fu, Xing Li

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

23 Scopus citations


It is crucial to detect zero-day polymorphic worms and to generate signatures at network gateways or honeynets so that we can prevent worms from propagating at their early phase. However, most existing network-based signatures are specific to exploit and can be easily evaded. In this paper, we propose generating vulnerability-driven signatures at network level without any host-level analysis of worm execution or vulnerable programs. As the first step, we design a network-based length-based signature generator (LESG) for the worms exploiting buffer overflow vulnerabilities It is reported that more than 75% of vulnerabilities are based on bufferoverflow. The signatures generated are intrinsic to buffer overflows, and are very difficult for attackers to evade. We further prove the attack resilience bounds even under worst-case attacks with deliberate noise injection. Moreover, LESG is fast and noise-tolerant and has efficient signature matching. Evaluation based on real-world vulnerabilities of various protocols and real network traffic demonstrates that LESG is promising in achieving these goals.

Original languageEnglish (US)
Article number5200325
Pages (from-to)53-66
Number of pages14
JournalIEEE/ACM Transactions on Networking
Issue number1
StatePublished - Feb 2010


  • Length-based signature
  • Polymorphic worm
  • Worm signature generation
  • Zero-day vulnerability

ASJC Scopus subject areas

  • Software
  • Computer Science Applications
  • Computer Networks and Communications
  • Electrical and Electronic Engineering


Dive into the research topics of 'Thwarting zero-day polymorphic worms with network-level length-based signature generation'. Together they form a unique fingerprint.

Cite this