Visualization for Intrusion Detection—Hooking the Worm

7. Conclusion

We have demonstrated that worm activity can be detected and analyzed by applying a trellis plot of parallel coordinate visualizations on the log of a small web server. The different requests made by worms can be correlated to the particular type of worm making the requests. Furthermore, the clusters formed by worm requests are markedly different from the clusters formed by benign requests for the data set in this paper. Other patterns of malicious requests were also found, one which was worm like and distinct from benign access requests and one that was not, and as a result was overlooked when the first version of this paper was published. The visualization was successful even though the number of data points visualized was larger than what is generally considered the limit for such methods.

Four different worm (or worm like) activities were found. Two of these were found to be indicative of the Nimda worm, one of the Code red worm, and the last two of a then largely unknown malicious activity, later identified as emanating from the manual application of the tool sfind.exe.