With the development of polymorphic worms, worms do greater harm to networks. The content-based signature generation of polymorphic worms has been a challenge for network security. This paper presents a fast signature generation method for polymorphic worms. The main feature of this method is clustering network normal traffic to create a white list before carrying out a comprehensive analysis of malicious traffic. Compared with other methods, this approach avoids the large number of comparisons with normal network traffic pool because of the white list. It is proved by experiments that our approach has a good noise-tolerant capability and high efficiency, and signatures generated by our method have a high accuracy.