Online Detect Polymorphic Exploit Based on Data Mining
Wei Wang1, Huazhang Wang, Daisheng Luo, Yong Fang
1Institute of Image & Information, Sichuan University, China
Available Online October 2007.
- 10.2991/iske.2007.216How to use a DOI?
- Data-mining, polymorphic worms, security
In recent years, Internet worms increasingly threaten the Internet hosts and service and polymorphic worms can evade signature-based intrusion detection systems. We propose DMPolD (Data Ming Polymorphism Detection) to detect polymorphic exploit based on semantic signature and data-mining. We analyze the feature of polymorphic exploit and the feature of perfect ones. We propose a method to online detect worm through recognize JUMP address based on data-mining i.e., Bayes. To prove this idea, we implement a plug-in of Snort – ODMSnort and do the experiment on it. The evaluation results show that DMPolD can detect polymorphic exploit and has very low false-positive.
- © 2007, the Authors. Published by Atlantis Press.
- Open Access
- This is an open access article distributed under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).
Cite this article
TY - CONF AU - Wei Wang AU - Huazhang Wang AU - Daisheng Luo AU - Yong Fang PY - 2007/10 DA - 2007/10 TI - Online Detect Polymorphic Exploit Based on Data Mining BT - Proceedings of the 2007 International Conference on Intelligent Systems and Knowledge Engineering (ISKE 2007) PB - Atlantis Press SP - 1269 EP - 1275 SN - 1951-6851 UR - https://doi.org/10.2991/iske.2007.216 DO - 10.2991/iske.2007.216 ID - Wang2007/10 ER -