Skip to main content
Log in

On the adaptive real-time detection of fast-propagating network worms

  • Original Paper
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

We present two light-weight worm detection algorithms that offer significant advantages over fixed-threshold methods. The first algorithm, rate-based sequential hypothesis testing (RBS), aims at the large class of worms that attempts to quickly propagate, thus exhibiting abnormal levels of the rate at which hosts initiate connections to new destinations. The foundation of RBS derives from the theory of sequential hypothesis testing, the use of which for detecting randomly scanning hosts was first introduced by our previous work developing TRW (Jung et al. in Proceedings of the IEEE Symposium on Security and Privacy, 9–12 May 2004). The sequential hypothesis testing methodology enables us to engineer detectors to meet specific targets for false-positive and false-negative rates, rather than triggering when fixed thresholds are crossed. In this sense, the detectors that we introduce are truly adaptive. We then introduce RBS+TRW, an algorithm that combines fan-out rate (RBS) and probability of failure (TRW) of connections to new destinations. RBS+TRW provides a unified framework that at one end acts as pure RBS and at the other end as pure TRW. Selecting an operating point that includes both mechanisms extends RBS’s power in detecting worms that scan randomly selected IP addresses. Using four traces from three qualitatively different sites, we evaluate RBS and RBS+TRW in terms of false positives, false negatives, and detection speed, finding that RBS+TRW provides good detection of actual Code Red worm outbreaks that we caught in our trace as well as internal Web crawlers that we use as proxies for targeting worms. In doing so, RBS+TRW generates fewer than one false alarm per hour for wide range of parameter choices.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Nmap—free security scanner for network exploration & security audits. http://www.insecure.org/nmap/

  2. Chen, S., Tang, Y.: Slowing down internet worms. In: Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS’04), Tokyo, Japan, March 2004

  3. Ehtereal.com. Ethereal. http://www.ethereal.com/

  4. Eichin, M.W., Rochlis, J.A.: With microscope and tweezers: an analysis of the Internet virus of November 1988. In: Proceedings of the IEEE Symposium on Research in Security and Privacy (1989)

  5. F-Secure: F-Secure Virus Descriptions: Santy. http://www.f-secure.com/v-descs/santy_a.shtml

  6. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy, 9–12 May 2004

  7. Karagiannis T., Papagiannaki K. and Faloutsos M. (2005). Blinc: multilevel traffic classification in the dark. SIGCOMM Comput. Commun. Rev. 35(4): 229–240

    Article  Google Scholar 

  8. Kim, H.-A., Karp, B.: Autograph: toward automated distributed worm signature detection. In: Proceedings of the 13th USENIX Security Symposium, August 9–13 (2004)

  9. Schechter, S.E., Jung, J., Berger, A.W.: Fast detection of scanning worm infections. In: Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection (RAID 2004), September 15–17 (2004)

  10. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 13th Operating Systems Design and Implementation OSDI (December 2004)

  11. Spafford, E.H.: A failure to learn from the past. In: Proceedings of the 19th Annual Computer Security Applications Conference, pp. 217–233, December 8–12 (2003)

  12. Staniford, S., Paxson, V., Weaver, N.: How to own the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium (Berkeley, CA, USA), pp. 149–170. USENIX Association, August 5–9 (2002)

  13. Turkey, J.W.: A survey of sampling from contaminated distributions. In: Contributions to Probability and Statistics. Stanford University Press (1960)

  14. Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium, August 4–8 (2003)

  15. Wald A. (1947). Sequential Analysis. Wiley, New York

    MATH  Google Scholar 

  16. Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection (RAID 2005) (September 2005)

  17. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, pp. 11–18. ACM Press, New York, October 27 (2003)

  18. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium, August 9–13 (2004)

  19. Whyte, D., Kranakis, E., van Oorschot, P.: DNS-based detection of scanning worms in an enterprise network. In: Proceedings of the Network and Distributed System Security Symposium (NDSS’05) (February 2005)

  20. Williamson, M.M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Proceedings of the 18th Annual Computer Security Applications Conference (ACSAC 2002), December 9–13 (2002)

  21. Wong, C., Bielski, S., Studer, A., Wang, C.: Empirical analysis of rate limiting mechanisms. In: Proceedings of the Eighth International Symposium on Recent Advances in Intrusion Detection (RAID 2005) (September 2005)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Jaeyeon Jung.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Jung, J., Milito, R.A. & Paxson, V. On the adaptive real-time detection of fast-propagating network worms. J Comput Virol 4, 197–210 (2008). https://doi.org/10.1007/s11416-007-0080-y

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-007-0080-y

Keywords

Navigation