NADTW: new approach for detecting TCP worm

A computer worm is a self-replicating malicious code that does not alter files but resides in active memory where it duplicates itself. Worms use parts of the operating system that are automatic and usually invisible to the user. Worms commonly exhibit abnormal behaviors, which become noticeable only when their uncontrolled replication consumes system resources and consequently decelerates or halts other tasks completely. This paper proposes an effective approach for detecting the presence of TCP network worms. This approach consists of two phases: Statistical Cross-relation for Network Scanning (SCANS) phase and the Worm Correlation phase. The SCANS phase is used to detect the presence of the network scanning behavior of a network worm, while the worm correlation phase is used to detect the Destination Source Correlation (DSC) behavior of the network worm. The proposed approach has been tested with a simulated dataset obtained from the GTNetS simulator. The numerical results showed that the proposed approach is efficient and outperforms the well-known DSC approach in terms of detecting the presence of TCP network worm.

[1]  Frederick B. Cohen,et al.  A formal definition of computer worms and some related results , 1992, Comput. Secur..

[2]  Yu Yao,et al.  Modelling, analysis and containment of passive worms in P2P networks , 2014, Int. J. Internet Protoc. Technol..

[3]  Vyas Sekar,et al.  A Multi-Resolution Approach forWorm Detection and Containment , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[4]  Peng Zhang,et al.  A transform domain-based anomaly detection approach to network-wide traffic , 2014, J. Netw. Comput. Appl..

[5]  Jun Li,et al.  Behavior-Based Worm Detectors Compared , 2010, RAID.

[6]  Kong Yiquan Network Worm Simulated Experimental Design and Implementation Based on GTnets , 2012 .

[7]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[8]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[9]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.

[10]  Michael K. Reiter,et al.  Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs , 2007, RAID.

[11]  George F. Riley Simulation of large scale networks II: large-scale network simulations with GTNetS , 2003, WSC '03.

[12]  Alireza Osareh,et al.  Intrusion Detection in Computer Networks based on Machine Learning Algorithms , 2008 .

[13]  Bimal Kumar Mishra,et al.  Survey of Polymorphic Worm Signatures , 2014 .

[14]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[15]  Ahmed Manasrah,et al.  Statistical cross-relation approach for detecting TCP and UDP random and sequential network scanning (SCANS) , 2012, Int. J. Comput. Math..

[16]  Cheng Yao,et al.  Multi-scale anomaly detection for high-speed network traffic , 2015, Trans. Emerg. Telecommun. Technol..

[17]  Robert Morris,et al.  Designing a framework for active worm detection on global networks , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[18]  Ricardo J. Rodríguez,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2016, Lecture Notes in Computer Science.

[19]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[20]  Wu Li Worm Detection System Based on Positive Selection , 2010 .

[21]  Vern Paxson,et al.  On the Adaptive Real-Time Detection of Fast-Propagating Network Worms , 2007, DIMVA.

[22]  Wei Xu,et al.  Toward worm detection in online social networks , 2010, ACSAC '10.

[23]  L. Lin,et al.  A concordance correlation coefficient to evaluate reproducibility. , 1989, Biometrics.

[24]  Yang Xiang,et al.  Modeling the Propagation of Worms in Networks: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[25]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[26]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.