Abstract
Internet worms constitute a major threat to the security of today’s networks. They work by exploiting vulnerabilities in operating systems and application software that run on end systems. In this paper, an effective algorithm for fast detection of worms is proposed. It integrates the worms’ behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution and changes in some of their attributes. The process of fast detection based on similarity is discussed in detail including threshold selection, similarity detection algorithm and fine analysis. Simulation experiments show that the detection algorithm can locate the worm infection prior to it spreading over the large-scale network.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Moore, D., Shannon, C., Brown, J.: Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the ACM SIGCOMM Internet Measurement Workshop, Marseille, France, November 2002, pp. 273–284 (2002)
Moore, D., Shannon, C.: The spread of the code-red worm (CRv2), Technical report, CAIDA, the Cooperative Association for Internet Data Analysis, USA (2002)
Russell, R., Mackie, A.: Code red II worm, Incident analysis report, Security Focus, USA (August 2001)
Moore, D.: Network Telescopes: Observing Small or Distant Security Events. In: Proceedings of the 11th USENIX Security Symposium, CA, USA, August 2002, pp. 167–174 (2002)
Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proceedings of the 10th ACM conference on Computer and communication security, Washington DC, USA, pp. 190–199 (2003)
Zou, C.C., Gao, L., Gong, W., Towsley, D.: Monitoring and early warning for internet worms. In: Proceedings of the ACM conference on Computer and Communication Security, Washington DC, USA, October 2003, pp. 190–199 (2003)
Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: Proceedings of the 13th USENIX Security Symposium, USA, August 2004, pp. 29–44 (2004)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using sequential Hypothesis Testing. In: Proceeding of the IEEE Symposium on Security and Privacy, USA, May 2004, pp. 211–225 (2004)
Berk, V., Bakos, G., Morris, R.: Designing a Framework for Active Worm Detection on Global Networks. In: Proceedings of the IEEE International Workshop on Information Assurance, Darmstadt, Germany, March 2003, pp. 13–23 (2003)
Gu, G., Sharif, M., Qin, X., Dagon, D.: Worm Detection, Early Warning and Response Based on Local Victim Information. In: 20th Annual Computer Security Applications Conference, Arizona, December 2004 (2004), ISSN: 1063–9527
Chen, X., Heidemann, J.: Detecting Early Worm Propagation through Packet Matching, Technical Report ISI-TR-2004-585, USC/Information Sciences Institute (February 2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
He, H., Hu, M., Zhang, W., Zhang, H. (2006). Fast Detection of Worm Infection for Large-Scale Networks. In: Yeung, D.S., Liu, ZQ., Wang, XZ., Yan, H. (eds) Advances in Machine Learning and Cybernetics. Lecture Notes in Computer Science(), vol 3930. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11739685_70
Download citation
DOI: https://doi.org/10.1007/11739685_70
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-33584-9
Online ISBN: 978-3-540-33585-6
eBook Packages: Computer ScienceComputer Science (R0)