Containment of Fast Scanning Computer Network Worms

  • Muhammad Aminu AhmadEmail author
  • Steve Woodhead
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9258)


This paper presents a mechanism for detecting and containing fast scanning computer network worms. The countermeasure mechanism, termed NEDAC, uses a behavioural detection technique that observes the absence of DNS resolution in newly initiated outgoing connections. Upon detection of abnormal behaviour by a host, based on the absence of DNS resolution, the detection system then invokes a data link containment system to block traffic from the host. The concept has been demonstrated using a developed prototype and tested in a virtualised network environment. An empirical analysis of network worm propagation has been conducted based on the characteristics of reported contemporary vulnerabilities to test the capabilities of the countermeasure mechanism. The results show that the developed mechanism is sensitive in detecting and blocking fast scanning worm infection at an early stage.


Worm detection Malware Cyber defence Network security 


  1. 1.
    Niemelä, J., Palomäki, P.: Malware detection and application monitoring, November 2013Google Scholar
  2. 2.
    Li, P., Salour, M., Su, X.: A survey of internet worm detection and containment. IEEE Commun. Surv. Tutorials 10(1), 20–35 (2008)CrossRefGoogle Scholar
  3. 3.
    Fosnock, C.: Computer worms: past, present, and future, August 2005Google Scholar
  4. 4.
    Bencsáth, B., Pék, G., Buttyán, L., Félegyházi, M.: The cousins of stuxnet: Duqu, flame, and gauss. Fut. Int. 4(4), 971–1003 (2012)CrossRefGoogle Scholar
  5. 5.
    Tidy, L.J., Shahzad, K., Muhammad, A., Woodhead, S.: An assessment of the contemporary threat posed by network worm malware. In: The Ninth Internation Conference on Systems and Networks Communications (ICSNC 2014), October 2014Google Scholar
  6. 6.
    Williamson, M.M.: Throttling viruses: restricting propagation to defeat malicious mobile code. In: Proceedings of the 8th Annual IEEE Computer Security Applications Conference, pp. 61–68 (2002)Google Scholar
  7. 7.
    Whyte, D., Kranakis, E., Van Oorschot, P.C.: Dns-based detection of scanning worms in an enterprise network. In: NDSS, February 2005Google Scholar
  8. 8.
    Jyothsna, V., Prasad, V.R., Prasad, K.M.: A review of anomaly based intrusion detection systems. Int. J. Comput. Appl. (0975–8887), 28(7), 26–35 (2011)Google Scholar
  9. 9.
    Cheema, F.M., Akram, A., Iqbal, Z.: Comparative evaluation of header vs. payload based network anomaly detectors. In: Proceedings of the World Congress on Engineering, vol. 1, pp. 1–5, July 2009Google Scholar
  10. 10.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy, pp. 211–225. IEEE (2004)Google Scholar
  11. 11.
    Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium (2004)Google Scholar
  12. 12.
    Rasheed, M.M., Norwawi, N.M., Ghazali, O., Kadhum, M.M.: Intelligent failure connection algorithm for detecting internet worms. Int. J. Comput. Sci. Netw. Secur. (IJCSNS) 9(5), 280 (2009)Google Scholar
  13. 13.
    Gu, G., Sharif, M., Qin, X., Dagon, D., Lee, W., Riley, G.: Worm detection, early warning and response based on local victim information. In: 20th Annual IEEE Computer Security Applications Conference, pp. 136–145 (2004)Google Scholar
  14. 14.
    Mahoney, M., Chan, P.K.: Phad: Packet header anomaly detection for identifying hostile network traffic. Technical report, Florida Institute of Technology technical report CS200104 (2001)Google Scholar
  15. 15.
    Shahzad, K., Woodhead, S.: Towards automated distributed containment of zero-day network worms. In: 2014 International Conference on Computing, Communication and Networking Technologies (ICCCNT), pp. 1–7. IEEE (2014)Google Scholar
  16. 16.
    Ganger, G.R., Economou, G., Bielski, S.M.: Self securing network interfaces: What, why and how? Technical report, Carnegie Mellon Univ Pittsburgh Pa School of Computer Science (2002)Google Scholar
  17. 17.
    Wong, C., Bielski, S., Studer, A., Wang, C.-X.: Empirical analysis of rate limiting mechanisms. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 22–42. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  18. 18.
    CVE. Common Vulnerabilities and Exposures (2014). Accessed on 19 October 2014
  19. 19.
    S. Connect. Vulnerabilities. Accessed on 12 November 2014
  20. 20.
    Garcia, L.M.: Programming with libpcap sniffing the network from our own application. In: Hakin9-Computer Security Magazine, pp. 2–2008 (2008)Google Scholar
  21. 21.
  22. 22.
    CAIDA, The Internet Topology Data Kit. Accessed on 11 November 2014
  23. 23.
    Combs, G.: Tshark-the wireshark network analyser.
  24. 24.
    W3schools os statistics. Accessed on 12 November 2014
  25. 25.
    Cotton, M., Vegoda, L.: Special use ipv4 addresses. Technical report, BCP 153, RFC 5735, January 2010Google Scholar
  26. 26.
    Lowe, S.: Mastering VMware vSphere 5. Wiley (2011)Google Scholar
  27. 27.
    Hwang, J., Zeng, S., Wood, T.: A component based performance comparison of four hypervisors. In: 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013), pp. 269–276, May 2013Google Scholar
  28. 28.
    Ishiguro, K., Takada, T., Ohara, Y., Zinin, A.D., Natapov, G., Mizutani, A.: Quagga routing suite (2007)Google Scholar
  29. 29.
    Shahzad, K., Woodhead, S.: A pseudo-worm daemon (pwd) for empirical analysis of zero-day network worms and countermeasure testing. In: 2014 International Conference on Computing, Communication and Networking Technologies (ICCCNT), pp. 1–6. IEEE (2014)Google Scholar
  30. 30.
    Damn Small Linux. Accessed 19 October 2014
  31. 31.
    Staniford, S., Vern, P., Nicholas, W.: How to own the internet in your spare time. In: USENIX Security Symposium, pp. 149–167, August 2002Google Scholar
  32. 32.
    Net Index. Accessed 16 November 2014

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Faculty of Engineering and ScienceUniversity of GreenwichGreenwichUK

Personalised recommendations