Journal of Cybersecurity and Information Management
JCIM
2690-6775
2769-7851
10.54216/JCIM
https://www.americaspg.com/journals/show/3070
2019
2019
Detecting Zero-day Polymorphic Worms Using Honeywall
College of Computing and Informatics, University of Sharjah, UAE
Mohamed
Mohamed
College of Computing and Informatics, University of Sharjah, UAE
Mohamed Abdalla
Nour
College of Computing and Informatics, University of Sharjah, UAE
Mohamed
Elhoseny
A polymorphic worm is a kind of worm that can change its payload in every infection attempt, so it can evade the Intrusion Detection Systems (IDSs) and perform illegal activities that lead to high losses. These worms can mutate as they spread across the network, causing most of the existing IDSs to carry out the polymorphic worm’s detection with high levels of both false positives and false negatives. In this paper, we propose a double-honeynet system that can detect polymorphic worm instances automatically. The Double-honeynet system is a hybrid system with both Network-based and Host-based mechanisms. This allows us to collect polymorphic worm instances at the network-level and host-level, which reduces the false positives and false negatives dramatically. The experimental deployment of a Double-honeynet network over a seven-day period successfully collected instances of various polymorphic worms, including 3511 Allaple, 3228 Conficker, 2817 Blaster, and 2452 Sasser worms. By utilizing, the Honeywall's Walleye interface; we were able to analyze the data and simulate the detection of these worms by generating new signatures, which were not previously recorded, demonstrating the system's capability to detect zero-day polymorphic threats. Analysis of Blaster worm instances revealed significant similarities in their payloads due to exe headers, indicating the necessity of preprocessing to remove these headers before signature generation, although the generation of signatures is beyond the scope of this study.
2025
2025
34
49
10.54216/JCIM.150104
https://www.americaspg.com/articleinfo/2/show/3070