Mining Network Traffic for Worm Signature Extraction

Recent worm increasingly threaten the availability of Internet. It is difficult to catch variety of 0day worms promptly with current signature matching approach because most signatures are developed manually. Several recent efforts to automatically extract worm signatures from Internet traffic have been done, but the efficiency is an unsolved problem especially in real high-speed network. We propose a binary clustering algorithm and a leaves preferred policy to improve the front traffic filter, which can reduce the traffic to be processed and enhance its purity. A position-aware signature generation method based bloom filter is proposed to bring better performance and more accurate signature for content-based defense. Both trace data and tcpdump data are used to test the prototype system and experiment results show the system can efficiently filter through suspicious traffic with high purity, which is no more than 25% of entire traffic, and extract more accurate signature, which can well support popular defense system such as Snort.