Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

NADTW: new approach for detecting TCP worm


A computer worm is a self-replicating malicious code that does not alter files but resides in active memory where it duplicates itself. Worms use parts of the operating system that are automatic and usually invisible to the user. Worms commonly exhibit abnormal behaviors, which become noticeable only when their uncontrolled replication consumes system resources and consequently decelerates or halts other tasks completely. This paper proposes an effective approach for detecting the presence of TCP network worms. This approach consists of two phases: Statistical Cross-relation for Network Scanning (SCANS) phase and the Worm Correlation phase. The SCANS phase is used to detect the presence of the network scanning behavior of a network worm, while the worm correlation phase is used to detect the Destination Source Correlation (DSC) behavior of the network worm. The proposed approach has been tested with a simulated dataset obtained from the GTNetS simulator. The numerical results showed that the proposed approach is efficient and outperforms the well-known DSC approach in terms of detecting the presence of TCP network worm.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7


  1. 1.

    Xu W, Zhang F, Zhu S (2010) Toward worm detection in online social networks. In: Proceedings of the 26th annual computer security applications conference, ACM, pp 11–20

  2. 2.

    Li P, Salour M, Su X (2008) A survey of internet worm detection and containment. IEEE Commun Surv Tutor 10(1):20–35

  3. 3.

    Paul S, Mishra BK (2014) Survey of polymorphic worm signatures. Int J U E Service Sci Technol 7(3):129–150

  4. 4.

    Jiang D, Xu Z, Zhang P, Zhu T (2014) A transform domain-based anomaly detection approach to network-wide traffic. J Netw Comput Appl 40:292–306

  5. 5.

    Jiang D, Yao C, Xu Z, Qin W (2015) Multi-scale anomaly detection for high-speed network traffic. Trans Emerg Telecommun Technol 26(3):308–317

  6. 6.

    Wang Y, Wen S, Xiang Y, Zhou W (2014) Modeling the propagation of worms in networks: a survey. IEEE Commun Surv Tutor 16(2):942–960

  7. 7.

    Yang W, Gao Y-P, Zhu Z-L, Chang G-R, Yao Y (2014) Modelling, analysis and containment of passive worms in p2p networks. Int J Internet Protoc Technol 8(2):130–142

  8. 8.

    Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) Inside the slammer worm. IEEE Secur Priv 1(4):33–39

  9. 9.

    Collins MP, Reiter MK (2007) Hit-list worm detection and bot identification in large networks using protocol graphs. In: Proceedings of the 10th international conference on recent advances in intrusion detection, RAID’07, Springer, Berlin, pp 276–295.

  10. 10.

    Jung J, Milito RA, Paxson V (2007) On the adaptive real-time detection of fast-propagating network worms. In: Detection of intrusions and malware, and vulnerability assessment, Springer, Berlin, pp 175–192

  11. 11.

    Schechter SE, Jung J, Berger AW (2004) Fast detection of scanning worm infections. In: Recent advances in intrusion detection. Springer, Berlin, pp 59–81

  12. 12.

    Sekar V, Xie Y, Reiter M, Zhang H (2006) A multi-resolution approach for worm detection and containment. In: International conference on Dependable systems and networks, DSN 2006, pp 189–198

  13. 13.

    Gu G, Sharif M, Qin X, Dagon D, Lee W, Riley G (2004) Worm detection, early warning and response based on local victim information. In: Computer security applications conference, 2004. 20th Annual, IEEE, pp 136–145

  14. 14.

    Anbar M, Manasrah A, Manickam S (2012) Statistical cross-relation approach for detecting tcp and udp random and sequential network scanning (scans). Int J Comput Math 89(15):1952–1969

  15. 15.

    Riley GF (2003) Simulation of large scale networks II: large-scale network simulations with gtnets. In: Proceedings of the 35th conference on winter simulation: driving innovation, Winter Simulation Conference, pp 676–684

  16. 16.

    Stafford S, Li J (2010) Behavior-based worm detectors compared. In: Recent advances in intrusion detection. Springer, Berlin, pp 38–57

  17. 17.

    Cohen F (1992) A formal definition of computer worms and some related results. Comput Secur 11(7):641–652

  18. 18.

    Berk V, Bakos G, Morris R (2003) Designing a framework for active worm detection on global networks. In: Information assurance, IWIAS 2003. Proceedings First IEEE international workshop on IEEE, pp 13–23

  19. 19.

    Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Security and privacy, 2004. Proceedings 2004 IEEE Symposium on IEEE, pp 211–225

  20. 20.

    Zou CC, Gong W, Towsley D (2002) Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on computer and communications security, ACM, pp 138–147

  21. 21.

    Chen Z, Gao L, Kwiaty K (2003) Modeling the spread of active worms. In: INFOCOM 2003. Twenty-second annual joint conference of the IEEE computer and communications. IEEE Societies, vol 3, IEEE, pp 1890–1900

  22. 22.

    Yiquan K (2012) Network worm simulated experimental design and implementation based on gtnets. Comput Digit Eng 3:027

  23. 23.

    Jiao J, Chen X (2012) Wssl: A worm spreading simulation language. J Beijing Inform Sci Technol Uni 6:004

  24. 24.

    Zheng H, Li-Fa W (2010) Worm detection system based on positive selection. J Softw 4:022

  25. 25.

    Osareh A, Shadgar B (2008) Intrusion detection in computer networks based on machine learning algorithms. Int J Comput Sci Netw Secur (IJCSNS) 8(11):15–23

  26. 26.

    Lawrence I, Lin K (1989) A concordance correlation coefficient to evaluate reproducibility. Biometrics 45(1):255–268

Download references

Author information

Correspondence to Mohammed Anbar.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Anbar, M., Abdullah, R., Munther, A. et al. NADTW: new approach for detecting TCP worm. Neural Comput & Applic 28, 525–538 (2017).

Download citation


  • Destination Source Correlation (DSC)
  • Intrusion Detection System (IDS)
  • Network scanning
  • Malicious codes
  • TCP worm