Thwarting Zero-Day Polymorphic Worms With Network-Level Length-Based Signature Generation

It is crucial to detect zero-day polymorphic worms and to generate signatures at network gateways or honeynets so that the authors can prevent worms from propagating at their early phase. However, most existing network-based signatures are specific to exploit and can be easily evaded. In this paper, the authors propose generating vulnerability-driven signatures at network level without any host-level analysis of worm execution or vulnerable programs. As the first step, they design a network-based LEngth-based Signature Generator (LESG) for the worms exploiting buffer overflow vulnerabilities.