Skip to main content
SpringerLink
Log in

Fast Detection of Scanning Worm Infections

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3224))

Included in the following conference series:

Abstract

Worm detection and response systems must act quickly to identify and quarantine scanning worms, as when left unchecked such worms have been able to infect the majority of vulnerable hosts on the Internet in a matter of minutesĀ [9]. We present a hybrid approach to detecting scanning worms that integrates significant improvements we have made to two existing techniques: sequential hypothesis testing and connection rate limiting. Our results show that this two-pronged approach successfully restricts the number of scans that a worm can complete, is highly effective, and has a low false alarm rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bakos, G., Berk, V.: Early detection of internet worm activity by metering ICMP destination unreachable messages. In: Proceedings of the SPIE Aerosense (2002)

    Google ScholarĀ 

  2. Berk, V., Bakos, G., Morris, R.: Designing a framework for active worm detection on global networks. In: Proceedings of the IEEE International Workshop on Information Assurance (March 2003)

    Google ScholarĀ 

  3. Berk, V.H., Gray, R.S., Bakos, G.: Using sensor networks and data fusion for early detection of active worms. In: Proceedings of the SPIE Aerosense Conference (April 2003)

    Google ScholarĀ 

  4. CERT. ā€œCode Red II:ā€ another worm exploiting buffer overflow in IIS indexing service DLL, http://tinyurl.com/2lzgb

  5. F-Secure. Computer virus information pages: Lovsan, http://tinyurl.com/ojd1

  6. F-Secure. Computer virus information pages: Mimail.J, http://tinyurl.com/3ybsp

  7. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy, May 9-12 (2004)

    Google ScholarĀ 

  8. Kienzle, D.M., Elder, M.C.: Recent worms: a survey and trends. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, October 27, pp. 1ā€“10. ACM Press, New York (2003)

    ChapterĀ  Google ScholarĀ 

  9. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Security and PrivacyĀ 1, 33ā€“39 (2003)

    Google ScholarĀ 

  10. Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of IEEE INFOCOM, April 1-3 (2003)

    Google ScholarĀ 

  11. Network Associates Inc. Security threat report for W32/MydoomMM, http://tinyurl.com/2asgc

  12. Paxson, V.: Bro: A system for detecting network intruders in real-time, http://www.icir.org/vern/bro-info.html

  13. Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer NetworksĀ 31(23-24), 2435ā€“2463 (1999)

    ArticleĀ  Google ScholarĀ 

  14. Sidiroglou, S., Keromytis, A.D.: Countering network worms through automatic patch generation. Technical Report CUCS-029-03 (2003)

    Google ScholarĀ 

  15. Sidiroglou, S., Keromytis, A.D.: A network worm vaccine architecture. In: Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security (June 2003)

    Google ScholarĀ 

  16. Staniford, S.: Containment of scanning worms in enterprise networks. Journal of Computer Security (forthcoming)

    Google ScholarĀ 

  17. Staniford, S., Hoagland, J., McAlerney, J.: Practical automated detection of stealthy portscans. Journal of Computer SecurityĀ 10(1), 105ā€“136 (2002)

    Google ScholarĀ 

  18. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, August 7-9 (2002)

    Google ScholarĀ 

  19. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS ā€“ A graph-based intrusion detection system for large networks. In: Proceedings of the 19th National Information Systems Security Conference, October 1996, vol.Ā 1, pp. 361ā€“370 (1996)

    Google ScholarĀ 

  20. Symantec. Security response ā€“ CodeRed II, http://tinyurl.com/89t0

  21. Symantec. Security response ā€“ W32.Novarg.Amm, http://tinyurl.com/2lv95

  22. Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium, August 4-8 (2003)

    Google ScholarĀ 

  23. von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart (automatically) or how lazy cryptographers do AI. Technical Report CMUCS- 02-117 (February 2002)

    Google ScholarĀ 

  24. Wald, A.: Sequential Analysis. J. Wiley & Sons, New York (1947)

    MATHĀ  Google ScholarĀ 

  25. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, October 27, pp. 11ā€“18. ACM Press, New York (2003)

    ChapterĀ  Google ScholarĀ 

  26. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium, August 9-13 (2004)

    Google ScholarĀ 

  27. Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of The 18th Annual Computer Security Applications Conference (ACSAC 2002), December 9-13 (2002)

    Google ScholarĀ 

Download references

Author information

Authors and Affiliations

  1. Harvard DEAS, 33 Oxford Street, Cambridge, MA, 02138, USA

    Stuart E. Schechter

  2. MIT CSAIL, 32 Vassar Street, Cambridge, MA, 02139, USA

    Jaeyeon JungĀ &Ā Arthur W. Berger

Authors
  1. Stuart E. Schechter
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  2. Jaeyeon Jung
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

  3. Arthur W. Berger
    View author publications

    You can also search for this author in PubMedĀ Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Gƶteborg, Sweden

    Erland Jonsson Ā &Ā Magnus Almgren Ā &Ā 

  2. SRI International, 333 Ravenswood Ave., CA 94025, Menlo Park, USA

    Alfonso Valdes

Rights and permissions

Reprints and permissions

Copyright information

Ā© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Schechter, S.E., Jung, J., Berger, A.W. (2004). Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30143-1_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23123-3

  • Online ISBN: 978-3-540-30143-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation