Fast Detection of Worm Infection for Large-Scale Networks

  • Hui He
  • Mingzeng Hu
  • Weizhe Zhang
  • Hongli Zhang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3930)


Internet worms constitute a major threat to the security of today’s networks. They work by exploiting vulnerabilities in operating systems and application software that run on end systems. In this paper, an effective algorithm for fast detection of worms is proposed. It integrates the worms’ behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution and changes in some of their attributes. The process of fast detection based on similarity is discussed in detail including threshold selection, similarity detection algorithm and fine analysis. Simulation experiments show that the detection algorithm can locate the worm infection prior to it spreading over the large-scale network.


Fast Detection Background Traffic Traffic Distribution Destination Port Condition Judgment 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Moore, D., Shannon, C., Brown, J.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the ACM SIGCOMM Internet Measurement Workshop, Marseille, France, November 2002, pp. 273–284 (2002)Google Scholar
  2. 2.
    Moore, D., Shannon, C.: The spread of the code-red worm (CRv2), Technical report, CAIDA, the Cooperative Association for Internet Data Analysis, USA (2002)Google Scholar
  3. 3.
    Russell, R., Mackie, A.: Code red II worm, Incident analysis report, Security Focus, USA (August 2001)Google Scholar
  4. 4.
    Moore, D.: Network Telescopes: Observing Small or Distant Security Events. In: Proceedings of the 11th USENIX Security Symposium, CA, USA, August 2002, pp. 167–174 (2002)Google Scholar
  5. 5.
    Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proceedings of the 10th ACM conference on Computer and communication security, Washington DC, USA, pp. 190–199 (2003)Google Scholar
  6. 6.
    Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proceedings of the ACM conference on Computer and Communication Security, Washington DC, USA, October 2003, pp. 190–199 (2003)Google Scholar
  7. 7.
    Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: Proceedings of the 13th USENIX Security Symposium, USA, August 2004, pp. 29–44 (2004)Google Scholar
  8. 8.
    Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using sequential Hypothesis Testing. In: Proceeding of the IEEE Symposium on Security and Privacy, USA, May 2004, pp. 211–225 (2004)Google Scholar
  9. 9.
    Berk, V., Bakos, G., Morris, R.: Designing a Framework for Active Worm Detection on Global Networks. In: Proceedings of the IEEE International Workshop on Information Assurance, Darmstadt, Germany, March 2003, pp. 13–23 (2003)Google Scholar
  10. 10.
    Gu, G., Sharif, M., Qin, X., Dagon, D.: Worm Detection, Early Warning and Response Based on Local Victim Information. In: 20th Annual Computer Security Applications Conference, Arizona, December 2004 (2004), ISSN: 1063–9527Google Scholar
  11. 11.
    Chen, X., Heidemann, J.: Detecting Early Worm Propagation through Packet Matching, Technical Report ISI-TR-2004-585, USC/Information Sciences Institute (February 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Hui He
    • 1
  • Mingzeng Hu
    • 1
  • Weizhe Zhang
    • 1
  • Hongli Zhang
    • 1
  1. 1.Department of Computer Science and EngineeringHarbin Institute of TechnologyHarbinChina

Personalised recommendations