Comparative Study between Analytical Models and Packet-Level Worm Simulations
Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation
Greynets: a definition and evaluation of sparsely populated darknets
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
The limits of global scanning worm detectors in the presence of background noise
Proceedings of the 2005 ACM workshop on Rapid malcode
Simulating non-scanning worms on peer-to-peer networks
InfoScale '06 Proceedings of the 1st international conference on Scalable information systems
Effective worm detection for various scan techniques
Journal of Computer Security
On the effectiveness of distributed worm monitoring
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
An Automated Signature-Based Approach against Polymorphic Internet Worms
IEEE Transactions on Parallel and Distributed Systems
DAW: A Distributed Antiworm System
IEEE Transactions on Parallel and Distributed Systems
ATLANTIDES: an architecture for alert verification in network intrusion detection systems
LISA'07 Proceedings of the 21st conference on Large Installation System Administration Conference
Design and analysis of a multipacket signature detection system
International Journal of Security and Networks
A worm early detection system based on multi-similarity
ICCOM'05 Proceedings of the 9th WSEAS International Conference on Communications
FDF: Frequency detection-based filtering of scanning worms
Computer Communications
An information-theoretic view of network-aware malware attacks
IEEE Transactions on Information Forensics and Security
Behavior-based worm detectors compared
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Toward worm detection in online social networks
Proceedings of the 26th Annual Computer Security Applications Conference
Idle port scanning and non-interference analysis of network protocol stacks using model checking
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Inside the permutation-scanning worms: propagation modeling and analysis
IEEE/ACM Transactions on Networking (TON)
On detecting active worms with varying scan rate
Computer Communications
Learning-based algorithm for detecting abnormal traffic
ISPA'06 Proceedings of the 2006 international conference on Frontiers of High Performance Computing and Networking
Fast detection of worm infection for large-scale networks
ICMLC'05 Proceedings of the 4th international conference on Advances in Machine Learning and Cybernetics
Adaptive pattern mining model for early detection of botnet-propagation scale
Security and Communication Networks
Toward early warning against Internet worms based on critical-sized networks
Security and Communication Networks
| Hi-index | 0.00 |
Worm detection systems have traditionally focused on global strategies. In the absence of a global worm detection system, we examine the effectiveness of local worm detection and response strategies. This paper makes three contributions: (1) We propose a simple two-phase local worm victim detection algorithm, DSC (Destination-Source Correlation), based on worm behavior in terms of both infection pattern and scanning pattern. DSC can detect zero-day scanning worms with a high detection rate and very low false positive rate. (2) We demonstrate the effectiveness of early worm warning based on local victim information. For example, warning occurs with 0.19% infection of all vulnerable hosts on Internet when using a /12 monitored network. (3) Based on local victim information, we investigate and evaluate the effectiveness of an automatic real-time local response in terms of slowing down the global Internet worms propagation. (2) and (3) are general results, not specific to certain detection algorithm like DSC. We demonstrate (2) and (3) with both analytical models and packet-level network simulator experiments.