JOURNAL ARTICLE
Detecting Zero-day Polymorphic Worms Using Honeywall.
Published In: Journal of Cybersecurity & Information Management, 2025, v. 15, n. 1. P. 34 1 of 3
Database: Applied Science & Technology Source Ultimate 2 of 3
Authored By: Mohammed, Mohssen; Nour, Mohamed Abdalla; Elhoseny, Mohamed 3 of 3
Abstract
A polymorphic worm is a kind of worm that can change its payload in every infection attempt, so it can evade the Intrusion Detection Systems (IDSs) and perform illegal activities that lead to high losses. These worms can mutate as they spread across the network, causing most of the existing IDSs to carry out the polymorphic worm's detection with high levels of both false positives and false negatives. In this paper, we propose a double-honeynet system that can detect polymorphic worm instances automatically. The Double-honeynet system is a hybrid system with both Network-based and Host-based mechanisms. This allows us to collect polymorphic worm instances at the network-level and host-level, which reduces the false positives and false negatives dramatically. The experimental deployment of a Double-honeynet network over a seven-day period successfully collected instances of various polymorphic worms, including 3511 Allaple, 3228 Conficker, 2817 Blaster, and 2452 Sasser worms. By utilizing, the Honeywall's Walleye interface; we were able to analyze the data and simulate the detection of these worms by generating new signatures, which were not previously recorded, demonstrating the system's capability to detect zero-day polymorphic threats. Analysis of Blaster worm instances revealed significant similarities in their payloads due to exe headers, indicating the necessity of preprocessing to remove these headers before signature generation, although the generation of signatures is beyond the scope of this study. [ABSTRACT FROM AUTHOR]
Additional Information
- Source:Journal of Cybersecurity & Information Management. 2025/01, Vol. 15, Issue 1, p34
- Document Type:Article
- Subject Area:Computer Science
- Publication Date:2025
- ISSN:27697851
- DOI:10.54216/JCIM.150104
- Accession Number:181172142
- Copyright Statement:Copyright of Journal of Cybersecurity & Information Management is the property of American Scientific Publishing Group and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.)
Looking to go deeper into this topic? Look for more articles on EBSCOhost.