Adaptive Method for Monitoring Network and Early Detection of Internet Worms

  • Chen Bo
  • Bin Xing Fang
  • Xiao Chun Yun
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3975)


After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new algorithm for detecting worms. Our algorithm first monitors the computers on network and gets the number of abnormal computers. Then based on the monitoring result, we detect an unknown worm by using recursive least squares estimation. The experiments result proves that our approach is effective to detect unknown worm.


Intrusion Detection System Exponential Weighted Moving Average Recursive Little Square Simple Network Management Protocol Recursive Little Square Algorithm 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Zou., C.C., Gong, W.: Monitoring and Early Detection of Internet Worms. In: Proceeding of th 10th ACM symposium on computer and communication security, pp. 190–199. ACM, Washington (2003)CrossRefGoogle Scholar
  2. 2.
    Zou., C.C., Gong., W., Towsley, D.: Worm Propagation Modeling and Analysis under Dynamic Quarantine Defense. In: Proceedings of ACM CCS Workshop on Rapid Malcode, pp. 51–60 (2003)Google Scholar
  3. 3.
    Berk., V.H., Gray., R.S., Bakos, G.: Using Sensor Networks and Data Fusion for Early Detection of Active Worms. In: Proceedings of the SPIE AeroSense (2003)Google Scholar
  4. 4.
    Kephart, J.O., White, S.R.: Directed-graph Epidemiological Models of Computer Viruses. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 343–359 (1991)Google Scholar
  5. 5.
    Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS a Graph Based Intrusion Detection System for Large Networks. In: Proceedings of the 19th National Information Systems Security Conference, pp. 361–370 (1996)Google Scholar
  6. 6.
    Ellis, D.: Worm Anatomy and Model. In: Proceedings of the ACM workshop on Rapid Malcode, pp. 43–50 (2003)Google Scholar
  7. 7.
    Zou., C.C., Gong., W., Towsley, D.: Code Red Worm Propagation Modeling and Analysis. In: Proceedings of 9th ACM Conference on Computer and Communications Security, pp. 138–147 (2002)Google Scholar
  8. 8.
    Daley., D.J., Gani, J.: Epidemic Modeling: an Introduction. Cambridge University Press, Cambridge (1999)CrossRefGoogle Scholar
  9. 9.
    Ljung, L.: System Identification: Theory for the User. Prentice Hall, Upper Saddle River (1999)Google Scholar
  10. 10.
    Ljung, L., Soderstrom, T.: Theory and Practice of Recursive Identification. MIT Press, Cambridge (1983)MATHGoogle Scholar
  11. 11.
    Zheng, J., Mingzeng, H.U.: An Anomaly Intrusion Detection System Based on Vector Quantization. IEICE TRANS INF. & SYST. E89-D(1), 201–210 (2006)Google Scholar
  12. 12.
    Dagon, D., Qin, X., Gu, G., Lee, W., Grizzard, J., Levin, J., Owen, H.: Honeystat: Local worm detection using honeypots. In: Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection, RAID (2004)Google Scholar
  13. 13.
    Staniford, S.: Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Chen Bo
    • 1
  • Bin Xing Fang
    • 1
  • Xiao Chun Yun
    • 1
  1. 1.The Department of Computer Science and EngineeringHarbin Institute of TechnologyHarbinChina

Personalised recommendations