The Cornell commission: on Morris and the worm
Communications of the ACM
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
IEEE Security and Privacy
Worm Detection, Early Warning and Response Based on Local Victim Information
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Fast and automated generation of attack signatures: a basis for building self-protecting servers
Proceedings of the 12th ACM conference on Computer and communications security
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
The monitoring and early detection of internet worms
IEEE/ACM Transactions on Networking (TON)
A Multi-Resolution Approach forWorm Detection and Containment
DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Sweeper: a lightweight end-to-end system for defending against fast worms
Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems 2007
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
On the Adaptive Real-Time Detection of Fast-Propagating Network Worms
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
On the Limits of Payload-Oblivious Network Attack Detection
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Proceedings of the 16th ACM conference on Computer and communications security
Hit-list worm detection and bot identification in large networks using protocol graphs
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Anomalous payload-based worm detection and signature generation
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Anagram: a content anomaly detector resistant to mimicry attack
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
A survey of internet worm detection and containment
IEEE Communications Surveys & Tutorials
Should security researchers experiment more and draw more inferences?
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
Defending against internet worms using honeyfarm
Proceedings of the CUBE International Information Technology Conference
Revisiting network scanning detection using sequential hypothesis testing
Security and Communication Networks
A scalable network forensics mechanism for stealthy self-propagating attacks
Computer Communications
Hi-index | 0.00 |
Many worm detectors have been proposed and are being deployed, but the literature does not clearly indicate which one is the best. New worms such as IKEE.B (also known as the iPhone worm) continue to present new challenges to worm detection, further raising the question of how effective our worm defenses are. In this paper, we identify six behavior-based worm detection algorithms as being potentially capable of detecting worms such as IKEE.B, and then measure their performance across a variety of environments and worm scanning behaviors, using common parameters and metrics. We show that the underlying network trace used to evaluate worm detectors significantly impacts their measured performance. An environment containing substantial gaming and file sharing traffic can cause the detectors to perform poorly. No single detector stands out as suitable for all situations. For instance, connection failure monitoring is the most effective algorithm in many environments, but it fails badly at detecting topologically aware worms.