Generating Simplified Regular Expression Signatures for Polymorphic Worms

It is crucial to automatically generate accurate and effective signatures to defense against polymorphic worms. Previous work using conjunctions of tokens or token subsequence could lose some important information, like ignoring 1 byte token and neglecting the distances in the sequential tokens. In this paper we propose the Simplified Regular Expression (SRE) signature, and present its signature generation method based on the multiple sequence alignment algorithm. The multiple sequence alignment algorithm is extended from the pairwise sequence alignment algorithm, which encourages the contiguous substring extraction and is able to support wildcard string alignment and to preserve the distance of invariant content segment in generated SRE signatures. Thus, the generated SRE signature can express distance information for invariant content in polymorphic worms, which in turn makes even 1 byte invariant content extracted from polymorphic worms become valuable. Experiments on several types of polymorphic worms show that, compared with signatures generated by current network-based signature generation systems (NSGs), the generated SRE signatures are more accurate and precise to match polymorphic worms.