Skip to Main Content
In this paper, we investigate three syntax based, sliding window schemes for automatic intrusion detection. The first method, the fixed partition sliding window scheme (FPSW), uses a fixed window size and a one-byte sliding window. The second method, referred to as variable-length partition sliding window (VPSW), uses a variable length window with a predetermined breakmark. The third method, referred to as variable-length partition with multiple breakmarks (VPMB), is similar to VPSW except that multiple breakmarks are used. The results indicate that while the FPSW and VPSW methods are effective for detecting worms with mild changes in the worm code contents, VPMB is suitable for detecting fully polymorphic worms.
Date of Conference: 22-24 March 2006