ABSTRACT
This chapter discusses how to generate signatures for polymorphic worms. It describes the algorithms used to generate signatures for polymorphic worms. String-matching algorithms are basic components used in practical software implementations used in most of the available operating systems. The string-matching algorithm plays an important role in network intrusion detection systems, which can detect malicious attacks and protect the network systems. The modified Knuth-Morris-Pratt algorithm is a signature generator algorithm that searches the occurrence of different words on string text. Polymorphic worms evade signature-based intrusion detection systems by changing their payloads in every infection attempt. The modified Knuth-Morris-Pratt algorithm (MKMPA) compares the polymorphic worm substrings to find multiple invariant substrings shared among all polymorphic worm instances and are therefore used as the signatures of the polymorphic worm. The Substring extraction algorithm aims at extracting substrings from the polymorphic worm, whereas the MKMPA aims at finding out multiple invariant substrings that are shared between polymorphic worm instances and using them as signatures.
