Earlybird: Catching the Internet Worm

Internet worms, or malicious programs that spread autonomously from computer to computer, have become a problem at the forefront of computer security concerns in recent years. Several different approaches to the problem provide partial solutions, but the general problem of detecting when a worm has entered a network has not been solved. In this paper, we apply machine learning techniques to the problem of worm detection. We apply the tools of graphical models and statistical inference to the problem of detecting internet worms. Specifically, we model the problem as an HMM, in which the hidden state is either packet infected or packet clean, and the learner make observations on internet traffic. We survey current problems and solutions in the field of internet worm defense. We discuss approaches to modeling the problems, and we touch on several issues in representation and simulation. We describe models for normal network behavior and worm behavior that enable large-scale simulation of normal networks and worm infection, and we discuss simplifications and tradeoffs that aid in performing such simulation. Finally, we discuss our experience with implementing a simulator and our frustrations due to persistent bugs. We analyze the (incomplete) results we have obtained, and we show that the simulator and learner do produce interesting behavior that shows evidence of learning potential once the bugs are eliminated.