Institute of Electrical & Electronic Engineers
Network-based Signature Generation (NSG) has been proposed as a way to automatically and quickly generate accurate signatures for worms, especially polymorphic worms. In this paper, the authors propose a new NSG system - PolyTree, to defend against polymorphic worms. They observe that signatures from worms and their variants are relevant and a tree structure can properly reflect their familial resemblance. Hence, in contrast to an isolated view of generated signatures in previous papers, PolyTree organizes signatures extracted from worm samples into a tree structure, called signature tree, based on the formally defined \"More specific\" relation of simplified regular expression signatures.