Abstract—IARMSG: Incremental Association Rule Mining for Automatic Worm Signature Generation

IARMSG: Incremental Association Rule Mining for Automatic Worm Signature Generation Written by Administrator Wednesday, 16 March 2011 09:20 Last Updated Monday, 21 March 2011 07:11 In recent era, Internet worms are one of seriousthreats which have been a major cause of intrusion attempts.Traditional Intrusion Detection Systems (IDS) store allknown worm signatures and monitors real time traffic to find out these signatures and prevent possible intrusion attempts.This approach is not useful for newly evolved worms due to the unavailability of their signatures. Present worm signature generation work needs manual analysis which is timeconsuming process. To circumvent these problems substantial efforts have been made which automate the process of worm signature generation.In this paper we address the problem of automating worm signature generation process. We propose an Incremental Association Rule Based Signature Generation (IARMSG) algorithm which operates at network entry point to find out new attack patterns and generate signatures. We use content invariance and prevalence characteristics of the worms for worm signature generation. Our system is highly effective against newly evolved worms and slow propagating worms. Our System operates offline and hence is stable against Denial of Service attacks (DOS). These are significan improvements over existing automated worm signature generation methods like Earlybird and Autograph.