Analysis of abnormalities of worm traffic for obtaining worm detection vectors

Authors:
Zhengtao Xiang;Yufeng Chen;Yabo Dong;Honglan Lao
Affiliations:
Computer Center, Hubei Automotive Industries Institute, Shiyan, P.R. China;College of Computer Science and Technology, Zhejiang University, Hangzhou, P.R. China;College of Computer Science and Technology, Zhejiang University, Hangzhou, P.R. China;Department of Electrical Engineering, University of Southern California, Los Angeles, CA
Venue:
ISI'06 Proceedings of the 4th IEEE international conference on Intelligence and Security Informatics
Year:
2006

Citing 4
Cited 0

Self-similarity through high-variability: statistical analysis of Ethernet LAN traffic at the source level

IEEE/ACM Transactions on Networking (TON)
Self-similarity in World Wide Web traffic: evidence and possible causes

IEEE/ACM Transactions on Networking (TON)
Inside the Slammer Worm

IEEE Security and Privacy
Implementing and testing a virus throttle

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12

Quantified Score

Hi-index	0.00

Visualization

Abstract

Scanning traffic is the majority of worm traffic. Gaining deep insight into worm traffic can do much help in detecting worm hosts. The distributions of vectors related with First Contact Connections (FCC) of legitimate hosts and worm hosts are analyzed. The vectors are arrival interval, request size, response size, duration and RTT. Distributions of these vectors of worm traffic show abnormalities of the lack of heavy-tailed character, which is hold by that of legitimate traffic. Besides high probability of failed FCC, arrival interval and request size can be used as additional vectors.