This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
20th Annual Computer Security Applications Conference (ACSAC'04)
Worm Detection, Early Warning and Response Based on Local Victim Information
Tucson, Arizona
December 06-December 10
ISBN: 0-7695-2252-1
Guofei Gu, Georgia Institute of Technology, Atlanta, GA
Monirul Sharif, Georgia Institute of Technology, Atlanta, GA
Xinzhou Qin, Georgia Institute of Technology, Atlanta, GA
David Dagon, Georgia Institute of Technology, Atlanta, GA
Wenke Lee, Georgia Institute of Technology, Atlanta, GA
George Riley, Georgia Institute of Technology, Atlanta, GA
Worm detection systems have traditionally focused on global strategies. In the absence of a global worm detection system, we examine the effectiveness of local worm detection and response strategies. This paper makes three contributions: (1) We propose a simple two-phase local worm victim detection algorithm, DSC (Destination-Source Correlation), based on worm behavior in terms of both infection pattern and scanning pattern. DSC can detect zero-day scanning worms with a high detection rate and very low false positive rate. (2) We demonstrate the effectiveness of early worm warning based on local victim information. For example, warning occurs with 0.19% infection of all vulnerable hosts on Internet when using a /12 monitored network. (3) Based on local victim information, we investigate and evaluate the effectiveness of an automatic real-time local response in terms of slowing down the global Internet worms propagation. (2) and (3) are general results, not specific to certain detection algorithm like DSC. We demonstrate (2) and (3) with both analytical models and packet-level network simulator experiments.
Citation:
Guofei Gu, Monirul Sharif, Xinzhou Qin, David Dagon, Wenke Lee, George Riley, "Worm Detection, Early Warning and Response Based on Local Victim Information," acsac, pp.136-145, 20th Annual Computer Security Applications Conference (ACSAC'04), 2004
Usage of this product signifies your acceptance of the Terms of Use.