Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
IEEE Security and Privacy
Cisco Security Agent
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
Anomalous system call detection
ACM Transactions on Information and System Security (TISSEC)
A Multi-Resolution Approach forWorm Detection and Containment
DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
Probabilistic anomaly detection in distributed computer networks
Science of Computer Programming
The impact of stochastic variance on worm propagation and detection
Proceedings of the 4th ACM workshop on Recurring malcode
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Challenging the anomaly detection paradigm: a provocative discussion
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
An adaptive anomaly detector for worm detection
SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
Detection of slow malicious worms using multi-sensor data fusion
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
A scalable network forensics mechanism for stealthy self-propagating attacks
Computer Communications
| Hi-index | 0.00 |
The propagation speed of fast scanning worms and the stealthy nature of slow scanning worms present unique challenges to intrusion detection. Typically, techniques optimized for detection of fast scanning worms fail to detect slow scanning worms, and vice versa. In practice, there is interest in developing an integrated approach to detecting both classes of worms. In this paper, we propose and analyze a unique integrated detection approach capable of detecting and identifying traffic flow(s) responsible for simultaneous fast and slow scanning malicious worm attacks. The approach uses a combination of evidence from distributed host-based anomaly detectors, a self-adapting profiler and Bayesian inference from network heuristics to detect intrusion activity due to both fast and slow scanning worms. We assume that the extreme nature of fast scanning worm epidemics make them well suited for extreme value theory and use sample mean excess function to determine appropriate thresholds for detection of such worms. Random scanning worm behavior is considered in analyzing the stochastic time intervals that affect behavior of the detection technique. Based on the analysis, a probability model for worm detection interval using the detection scheme was developed. Simulations are used to validate our assumptions and analysis.