Volume 15 , Issue 1 , PP: 34-49, 2025 | Cite this article as | XML | Html | PDF | Full Length Article
Mohssen Mohammed 1 , Mohamed Abdalla Nour 2 * , Mohamed Elhoseny 3 *
Doi: https://doi.org/10.54216/JCIM.150104
A polymorphic worm is a kind of worm that can change its payload in every infection attempt, so it can evade the Intrusion Detection Systems (IDSs) and perform illegal activities that lead to high losses. These worms can mutate as they spread across the network, causing most of the existing IDSs to carry out the polymorphic worm’s detection with high levels of both false positives and false negatives. In this paper, we propose a double-honeynet system that can detect polymorphic worm instances automatically. The Double-honeynet system is a hybrid system with both Network-based and Host-based mechanisms. This allows us to collect polymorphic worm instances at the network-level and host-level, which reduces the false positives and false negatives dramatically. The experimental deployment of a Double-honeynet network over a seven-day period successfully collected instances of various polymorphic worms, including 3511 Allaple, 3228 Conficker, 2817 Blaster, and 2452 Sasser worms. By utilizing, the Honeywall's Walleye interface; we were able to analyze the data and simulate the detection of these worms by generating new signatures, which were not previously recorded, demonstrating the system's capability to detect zero-day polymorphic threats. Analysis of Blaster worm instances revealed significant similarities in their payloads due to exe headers, indicating the necessity of preprocessing to remove these headers before signature generation, although the generation of signatures is beyond the scope of this study.
Polymorphic Worms , Zero-day Threats , Cybersecurity , Network Security , Intrusion Detection Systems (IDS) , Honeynet , Honeywall , Malware Detection , Walleye Interface , Worm Signature Generation
[1] Mohammed, M.M.Z.E., Chan, H.A., Ventura, N., Hashim, M., and Amin, I., “A modified Knuth-Morris-Pratt Algorithm for Zero-day Polymorphic Worms Detection”, In Proceedings of the 2009 International Conference on Security & Management (SAM 2009), July 13-16, 2009, Las Vegas Nevada, USA, 2 Volumes, CSREA Press, 2009, pp. 652-657.
[2] Mohammed, , M.M.Z.E. and Chan, H.A., “Honeycyber: Automated Signature Generation for Zero-day Polymorphic Worms”, Proceedings of the IEEE Military Communications Conference (MILCOM), San Diego, USA, 17-19 Nov. 2008, pp. 1-6.
[3] Mohssen M.Z.E.M, Chan, H.A., Ventura, N., Hashim, M., and Amin, I., “Accurate Signature Generation for Polymorphic Worms Using Principal Component Analysis”, Proceedings of IEEE Globecom 2010 Workshop on Web and Pervasive Security (WPS 2010), Miami, Florida, USA,6-10 December 2010, pp. 1555-1560.
[4] R. Kaur and M. Singh, ‘A survey on zero-day polymorphic worm detection techniques’, IEEE Communications Surveys and Tutorials, vol. 16, no. 3, pp. 1520–1549, 2014.
[5] S. M. A. Sulieman and Y. A. Fadlalla, ‘Detecting Zero-day Polymorphic Worm: A Review’, in 2018 21st Saudi Computer Society National Computer Conference (NCC), 2018, pp. 1–7.
[6] D. V. Silva and G. D. R. Rafael, ‘A review of the current state of Honeynet architectures and tools’, International Journal of Security and Networks, vol. 12, no. 4, pp. 255–272, 2017.
[7] N. Kailasanathan, S. Somayaji, S. Fuladi, F. Benedetto, S. Ulaganathan, and G. Yenduri, ‘Enhancing Security of Host-Based Intrusion Detection Systems for the Internet of Things’, IEEE Access, vol. PP, pp. 1–1, 01 2024.
[8] M. M. Z. E. Mohammed, H. A. Chan, N. Ventura, and A.-S. K. Pathan, ‘An automated signature generation method for zero-day polymorphic worms based on multilayer perceptron model’, 2013, pp. 450–455.
[9] J. Newsome, B. Karp, and D. Song, ‘Polygraph: automatically generating signatures for polymorphic worms’, in 2005 IEEE Symposium on Security and Privacy (S&P’05), 2005, pp. 226–241.
[10] M. Abu Rajab, J. Zarfoss, F. Monrose, and A. Terzis, ‘A multifaceted approach to understanding the botnet phenomenon’, in Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, Rio de Janeriro, Brazil, 2006, pp. 41–52.
[11] U. K. Tupakula and V. Varadharajan, ‘Dynamic state-based security architecture for detecting security attacks in virtual machines’, Computer Journal, vol. 55, no. 4, pp. 397–409, 2012.
[12] F. Alhaidari et al., ‘ZeVigilante: Detecting Zero-Day Malware Using Machine Learning and Sandboxing Analysis Techniques’, Computational Intelligence and Neuroscience, vol. 2022, p. 1615528, May 2022.
[13] G A Priyanka , Ashwin Kumar H R , Deepika S , Neha Bindinganavalle, Manjunath G S, ‘Detecting Zero Day Malware’, INTERNATIONAL JOURNAL OF ENGINEERING RESEARCH & TECHNOLOGY (IJERT), vol. 08, issue. 05, May 2019.
[14] R. Kaur and M. Singh, ‘Efficient hybrid technique for detecting zero-day polymorphic worms’, 2014, pp. 95–100.
[15] M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos, ‘Network-level polymorphic shellcode detection using emulation’, Journal in Computer Virology, vol. 2, no. 4, pp. 257–274, Feb. 2007.
[16] S. G. Cheetancheri, ‘Collaborative defense against zero-day and polymorphic worms: detection, response and an evaluation framework’, University of California at Davis, USA, 2007.
[17] A. A. Shahin, ‘Polymorphic Worms Collection in Cloud Computing’, arXiv [cs.DC]. 2014.
[18] S. M. Sohi, J.-P. Seifert, and F. Ganji, ‘RNNIDS: Enhancing network intrusion detection systems through deep learning’, Computers and Security, vol. 102, 2021.
[19] H. Al-Rushdan, M. Shurman, S. H. Alnabelsi, and Q. Althebyan, ‘Zero-Day Attack Detection and Prevention in Software-Defined Networks’, in 2019 International Arab Conference on Information Technology (ACIT), 2019, pp. 278–282.
[20] D. Denysiuk, O. Geidarova, M. Kapustian, S. Lysenko, and A. Sachenko, ‘Blockchain-based Deep Learning Algorithm for Detecting Malware’, in International Workshop on Intelligent Information Technologies & Systems of Information Security, 2023.
[21] Know your enemy Honeywall cdrom roo. Available at: https://projects.honeynet.org/honeywall/ (last accessed: August 18, 2012)
[22] The Honeynet Project. Roo CDROM User’s Manual, Available at: http://old.honeynet.org/tools/cdrom/roo/manual/index.html (last accessed: August 18, 2012)
[23] Know your enemy Sebek, a kernel based data capture tool. Available at: http://old.honeynet.org/papers/sebek.pdf (last accessed: August 18, 2012)
[24] Snort – The de facto Standard for Intrusion Detection/Prevention. Available at: http://www.snort.org (last accessed: August 18, 2012)
