Journal of Cybersecurity and Information Management JCIM 2690-6775 2769-7851 10.54216/JCIM https://www.americaspg.com/journals/show/3070 2019 2019 College of Computing and Informatics, University of Sharjah, UAE Mohamed Mohamed College of Computing and Informatics, University of Sharjah, UAE Mohamed Abdalla Nour College of Computing and Informatics, University of Sharjah, UAE Mohamed Elhoseny A polymorphic worm is a kind of worm that can change its payload in every infection attempt, so it can evade the Intrusion Detection Systems (IDSs) and perform illegal activities that lead to high losses. These worms can mutate as they spread across the network, causing most of the existing IDSs to carry out the polymorphic worm’s detection with high levels of both false positives and false negatives. In this paper, we propose a double-honeynet system that can detect polymorphic worm instances automatically. The Double-honeynet system is a hybrid system with both Network-based and Host-based mechanisms. This allows us to collect polymorphic worm instances at the network-level and host-level, which reduces the false positives and false negatives dramatically. The experimental deployment of a Double-honeynet network over a seven-day period successfully collected instances of various polymorphic worms, including 3511 Allaple, 3228 Conficker, 2817 Blaster, and 2452 Sasser worms. By utilizing, the Honeywall's Walleye interface; we were able to analyze the data and simulate the detection of these worms by generating new signatures, which were not previously recorded, demonstrating the system's capability to detect zero-day polymorphic threats. Analysis of Blaster worm instances revealed significant similarities in their payloads due to exe headers, indicating the necessity of preprocessing to remove these headers before signature generation, although the generation of signatures is beyond the scope of this study. 2025 2025 34 49 10.54216/JCIM.150104 https://www.americaspg.com/articleinfo/2/show/3070