Effective worm detection for various scan techniques

Authors:
Jianhong Xia;Sarma Vangala;Jiang Wu;Lixin Gao;Kevin Kwiat
Affiliations:
Department of Electrical and Computer Engineering, University of Massachusetts at Amherst, Amherst, MA 01003, USA E-mail: {jxia, svangala, jiawu, lgao}@ecs.umass.edu;Department of Electrical and Computer Engineering, University of Massachusetts at Amherst, Amherst, MA 01003, USA E-mail: {jxia, svangala, jiawu, lgao}@ecs.umass.edu;Department of Electrical and Computer Engineering, University of Massachusetts at Amherst, Amherst, MA 01003, USA E-mail: {jxia, svangala, jiawu, lgao}@ecs.umass.edu;Department of Electrical and Computer Engineering, University of Massachusetts at Amherst, Amherst, MA 01003, USA E-mail: {jxia, svangala, jiawu, lgao}@ecs.umass.edu;Air Force Research Lab, Information Directorate, 525 Brooks Road, Rome, NY 13441, USA E-mail: kwiatk@rl.af.mil
Venue:
Journal of Computer Security
Year:
2006

Citing 8
Cited 2

Code red worm propagation modeling and analysis

Proceedings of the 9th ACM conference on Computer and communications security
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Measuring and Modeling Computer Virus Prevalence

SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
Worm Detection, Early Warning and Response Based on Local Victim Information

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Automated response using system-call delays

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

Characterizing and defending against divide-conquer-scanning worms

Computer Networks: The International Journal of Computer and Telecommunications Networking
Characterizing internet worm infection structure

LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats

Quantified Score

Hi-index	0.00

Visualization

Abstract

In recent years, the threats and damages caused by active worms have become more and more serious. In order to reduce the loss caused by fast-spreading active worms, an effective detection mechanism to quickly detect worms is desired. In this paper, we first explore various scan strategies used by worms on finding vulnerable hosts. We show that targeted worms spread much faster than random scan worms. We then present a generic worm detection architecture to monitor malicious worm activities. We propose and evaluate our detection mechanism called Victim Number Based Algorithm. We show that our detection algorithm is effective and able to detect worm events before 2% of vulnerable hosts are infected for most scenarios. Furthermore, in order to reduce false alarms, we propose an integrated approach using multiple parameters as indicators to detect worm events. The results suggest that our integrated approach can differentiate worm attacks from DDoS attacks and benign scans.