The internet worm program: an analysis
ACM SIGCOMM Computer Communication Review
Code red worm propagation modeling and analysis
Proceedings of the 9th ACM conference on Computer and communications security
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Designing a Framework for Active Worm Detection on Global Networks
IEEE-IWIA '03 Proceedings of the First IEEE International Workshop on Information Assurance (IWIA'03)
IEEE Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Recent worms: a survey and trends
Proceedings of the 2003 ACM workshop on Rapid malcode
Simulating realistic network worm traffic for worm warning system design and testing
Proceedings of the 2003 ACM workshop on Rapid malcode
Worm propagation modeling and analysis under dynamic quarantine defense
Proceedings of the 2003 ACM workshop on Rapid malcode
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Toward understanding distributed blackhole placement
Proceedings of the 2004 ACM workshop on Rapid malcode
Worm Detection, Early Warning and Response Based on Local Victim Information
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
The impact of stochastic variance on worm propagation and detection
Proceedings of the 4th ACM workshop on Recurring malcode
Fast and Black-box Exploit Detection and Signature Generation for Commodity Software
ACM Transactions on Information and System Security (TISSEC)
Characterizing and defending against divide-conquer-scanning worms
Computer Networks: The International Journal of Computer and Telecommunications Networking
| Hi-index | 0.00 |
Internet worms cause billions of dollars in damage each year. To combat them, researchers have been exploring global worm detection systems to spot a new random scanning worm outbreak quickly. These systems passively listen for worm probes on unused IP addresses, looking for anomalous increases in probe traffic to distinguish the emergence of a new worm from background Internet noise.In this paper, we use analytic modeling, simulation, and measurement to understand how background noise impacts the detection ability of global scanning worm detectors. We investigate the relationship between the average background noise level, the number of IP addresses monitored, and the detection latency for two classes of global scanning worm detectors: scan packet-based and victims-based schemes. Our results show how worm detection latency degrades as a function of the background noise level. To compensate, global scanning worm detectors can increase the number of IP addresses that they monitor. However, given the growth trend of background noise levels, the number of IP addresses which must be monitored may quickly become unreasonable. Because of this, we conclude that global scanning worm detection schemes are unlikely to be competitive with local scanning and signature-based worm detection schemes.