Code red worm propagation modeling and analysis
Proceedings of the 9th ACM conference on Computer and communications security
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Throttling Viruses: Restricting propagation to defeat malicious mobile code
ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Measuring and Modeling Computer Virus Prevalence
SP '93 Proceedings of the 1993 IEEE Symposium on Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Worm Detection, Early Warning and Response Based on Local Victim Information
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Automated response using system-call delays
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Characterizing and defending against divide-conquer-scanning worms
Computer Networks: The International Journal of Computer and Telecommunications Networking
Characterizing internet worm infection structure
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Hi-index | 0.00 |
In recent years, the threats and damages caused by active worms have become more and more serious. In order to reduce the loss caused by fast-spreading active worms, an effective detection mechanism to quickly detect worms is desired. In this paper, we first explore various scan strategies used by worms on finding vulnerable hosts. We show that targeted worms spread much faster than random scan worms. We then present a generic worm detection architecture to monitor malicious worm activities. We propose and evaluate our detection mechanism called Victim Number Based Algorithm. We show that our detection algorithm is effective and able to detect worm events before 2% of vulnerable hosts are infected for most scenarios. Furthermore, in order to reduce false alarms, we propose an integrated approach using multiple parameters as indicators to detect worm events. The results suggest that our integrated approach can differentiate worm attacks from DDoS attacks and benign scans.