SWorD: a simple worm detection scheme

Authors:
Matthew Dunlop;Carrie Gates;Cynthia Wong;Chenxi Wang
Affiliations:
United States Military Academy, West Point, NY;CA Labs, CA, Islandia, NY;Carnegie Mellon University, Pittsburgh, PA;Carnegie Mellon University, Pittsburgh, PA
Venue:
OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Year:
2007

Citing 14
Cited 1

Introduction to algorithms

Introduction to algorithms
Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Design, Implementation and Test of an Email Virus Throttle

ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Slowing Down Internet Worms

ICDCS '04 Proceedings of the 24th International Conference on Distributed Computing Systems (ICDCS'04)
Dynamic Quarantine of Internet Worms

DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
The Blaster Worm: Then and Now

IEEE Security and Privacy
Towards Automatic Generation of Vulnerability-Based Signatures

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Signature metrics for accurate and automated worm detection

Proceedings of the 4th ACM workshop on Recurring malcode
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Anomalous payload-based worm detection and signature generation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Adaptive detection of local scanners

ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security

Principal Components of Port-Address Matrices in Port-Scan Analysis

OTM '08 Proceedings of the OTM 2008 Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE 2008. Part II on On the Move to Meaningful Internet Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Detection of fast-spreading Internet worms is a problem for which no adequate defenses exist. In this paper we present a Simple Worm Detection scheme (SWorD). SWorD is designed as a statistical detection method for detecting and automatically filtering fast-spreading TCP-based worms. SWorD is a simple two-tier counting algorithm designed to be deployed on the network edge. The first-tier is a lightweight traffic filter while the second-tier is more selective and rarely invoked.We present results using network traces from both a small and large network to demonstrate SWorD's performance. Our results show that SWorD accurately detects over 75% of all infected hosts within six seconds, making it an attractive solution for the worm detection problem.