SWORD: Self-propagating Worm Observation and Rapid Detection

As the launching of a worm can have disastrous effects on the Internet in just minutes, it is essential to automatically and reliably detect worms in their early stages. In contrast to content-based approaches, in this paper we study the feasibility of a behavior-based solution through our SWORD framework. As SWORD does not inspect the payload of traffic, it is resilient against polymorphic worms and avoids the expense of examining traffic payload. We focus on three algorithms embraced in the SWORD framework: the causal similarity identification algorithm, destination address distribution analysis algorithm, and continuity analysis algorithm. We investigate how they may identify worm-like connections and raise an alarm by identifying essential behaviors that a worm must display. Our evaluation shows that SWORD exhibits promise in quickly, accurately, and efficiently detecting self-propagating worms of different speeds and scanning methods. We also point out extensions to SWORD that can detect infected hosts and classify a worm based on its behavior. Although some limitations and open issues remain, SWORD is an important step toward detecting zero-day self-propagating worms via a behavior-based approach.