Design and Evaluation of a Fast and Robust Worm Detection Algorithm

A method and computer product are presented for identifying Internet worm propagation based upon changes in packet arrival rates at a network connection. First, unsolicited (i.e., packets that were not requested by the receiver) traffic is separated from solicited traffic at the network connection. The unsolicited traffic arrival patterns are monitored and analyzed for any changes. Once changes in the unsolicited traffic arrival patterns are detected, the changes are mathematically analyzed to detect growth trends. The presence of growth trends that follow certain key characteristics indicate whether the changes are due to worm propagation.

[1]  P. Bickel,et al.  Mathematical Statistics: Basic Ideas and Selected Topics , 1977 .

[2]  Niels Keiding,et al.  Statistical Models Based on Counting Processes , 1993 .

[3]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[4]  F. Gan,et al.  Computing Average Run Lengths for Exponential CUSUM Schemes , 1994 .

[5]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[6]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[7]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[8]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[9]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[10]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[11]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[12]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[13]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[14]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[15]  Vern Paxson,et al.  Very Fast Containment of Scanning Worms , 2004, USENIX Security Symposium.

[16]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[17]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[18]  Chuanhai Liu,et al.  Adaptive Thresholds , 2006 .