Effective worm detection for various scan techniques
نویسندگان
چکیده
In recent years, the threats and damages caused by active worms have become more and more serious. In order to reduce the loss caused by fastspreading active worms, an effective detection mechanism to quickly detect worms is desired. In this paper, we first explore various scan strategies used by worms on finding vulnerable hosts. We show that targeted worms spread much faster than random scan worms. We then present a generic worm detection architecture to monitor malicious worm activities. We propose and evaluate our detection mechanism called Victim Number Based Algorithm. We show that our detection algorithm is effective and able to detect worm events before 2% of vulnerable hosts are infected for most scenarios. Furthermore, in order to reduce false alarms, we propose an integrated approach using multiple parameters as indicators to detect worm events. The results suggest that our integrated approach can differentiate worm attacks from DDoS attacks and benign scans.
منابع مشابه
An Effective Architecture and Algorithm for Detecting Worms with Various Scan
Since the days of the Morris worm, the spread of malicious code has been the most imminent menace to the Internet. Worms use various scanning methods to spread rapidly. Worms that select scan destinations carefully can cause more damage than worms employing random scan. This paper analyzes various scan techniques. We then propose a generic worm detection architecture that monitors malicious act...
متن کاملEarly Worm Detection for Minimizing Damage in E-Service Networks
Network attacks such as computer virus and worms that scan computers randomly have caused billions of dollars in damage to enterprises across the Internet [Erbschloe M., 2005]. There are different worm detection techniques. [Guofei, G., 2004] classified them according to the worm characteristic used by detection technique. One approach is using worm signatures, it depends on the identical or si...
متن کاملA Fast Worm Scan Detection Tool for VPN Congestion Avoidance
Finding the cause for congested virtual private network (VPN) links that connect an office network over the Internet to remote subsidiaries can be a hassle. Scan traffic of worm infected hosts is one important possible cause. We developed a scan detection tool, which continuously monitors network traffic on VPN gateway(s) and that reliably detects and reports worm infected hosts by tracking ano...
متن کاملHitlist Worm Detection using Source IP Address History
Internet worms are a growing menace due to their increasing sophistication and speed of propagation. In this paper, we present a new worm detection scheme, History-based IP Worm Detection. It uses the difference in the distribution of source addresses between regular users and scanning hosts to distinguish between worm probes and normal accesses. This property is used to implement a weighted so...
متن کاملInternet Worm Classification and Detection using Data Mining Techniques
Internet worm means separate malware computer programs that repeated itself and in order to spread one computer to another computer. Malware includes computer viruses, worms, root kits, key loggers, Trojan horse, and dialers, adware, malicious, spyware, rogue security software and other malicious programs. It is programmed by attackers to interrupt computer process, gatherDelicate Information, ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Journal of Computer Security
دوره 14 شماره
صفحات -
تاریخ انتشار 2006