The limits of global scanning worm detectors in the presence of background noise
Proceedings of the 2005 ACM workshop on Rapid malcode
Puppetnets: misusing web browsers as a distributed attack infrastructure
Proceedings of the 13th ACM conference on Computer and communications security
Analyzing cooperative containment of fast scanning worms
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Boundary detection and containment of local worm infections
SRUTI'07 Proceedings of the 3rd USENIX workshop on Steps to reducing unwanted traffic on the internet
A worm early detection system based on multi-similarity
ICCOM'05 Proceedings of the 9th WSEAS International Conference on Communications
Locality-Based Server Profiling for Intrusion Detection
PAISI, PACCF and SOCO '08 Proceedings of the IEEE ISI 2008 PAISI, PACCF, and SOCO international workshops on Intelligence and Security Informatics
A data mining approach for analysis of worm activity through automatic signature generation
Proceedings of the 1st ACM workshop on Workshop on AISec
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure
ACM Transactions on Information and System Security (TISSEC)
Worm detection and auto-signature extraction in large scale network
NN'05 Proceedings of the 6th WSEAS international conference on Neural networks
Challenges in experimenting with botnet detection systems
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
Learning-based algorithm for detecting abnormal traffic
ISPA'06 Proceedings of the 2006 international conference on Frontiers of High Performance Computing and Networking
NGCE – network graphs for computer epidemiologists
PCI'05 Proceedings of the 10th Panhellenic conference on Advances in Informatics
Fast detection of worm infection for large-scale networks
ICMLC'05 Proceedings of the 4th international conference on Advances in Machine Learning and Cybernetics
Using genetic algorithm for network status learning and worm virus detection scheme
IDEAL'06 Proceedings of the 7th international conference on Intelligent Data Engineering and Automated Learning
| Hi-index | 0.02 |
Past active Internet worms have caused widespread damage. Knowing the connection characteristics of such a worm very early in its proliferation cycle might provide first responders an opportunity to intercept a global scale epidemic.We are presenting a scalable framework for detecting, in near-realtime, active Internet worms on global networks, both public and private. By aggregating network error messagesresulting from failed attempts at packet delivery, we are able to infer deviant connection behavior of hosts on interconnected networks. The Internet Control Message Protocol (ICMP) provides such error notification. Using a potentially unlimited number of collectors and analyzers, we identify blooms' of activity. The connection characteristics of these blooms' are then correlated to identify worm-like behavior, and an alert is raised.Promising results have been produced with a simulated Internet worm, demonstrating that new worms can be detected within the first few minutes after release, depending on the level of participating router coverage.