An efficient worm defense system based signature extraction

The fast spread of worm is a great challenge to Internet security. Most current defense systems use signature matching approach while most signatures are developed manually. It is difficult. to catch variety of new worms promptly. An efficient worm defense system is designed and implemented to provide early warning at the moment the worms start to spread on the network and to contain or slow down the spread of the worm by automatically extracting a signature that could be used by firewalls or Intrusion Prevention Systems. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. We propose a binary clustering algorithm and a leaves preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. A position-aware. signature generation: method based bloom filter is proposed to bring better performance and more accurate signature for content-based defense. Both trace data and tcpdump data are used to test the prototype system. Experiment results show the system can efficiently filter through suspicious traffic with high purity, which is no more than 25% of entire traffic, and extract more accurate signature, which can well support popular defense system such as Snort.