Efficient content-based detection of zero-day worms

Author

Akritidis, P. ; Anagnostakis, K. ; Markatos, E.P.

Author_Institution

Inst. of Comput. Sci., Hellas Found. for Res. & Technol., Greece

Volume

2

fYear

2005

Firstpage

837

Abstract

Recent cybersecurity incidents suggest that Internet worms can spread so fast that in-time human-mediated reaction is not possible, and therefore initial response to cyberattacks has to be automated. The first step towards combating new unknown worms is to be able to detect and identify them at the first stages of their spread. In this paper, we present a novel method for detecting new worms based on identifying similar packet contents directed to multiple destination hosts. We evaluate our method using real traffic traces that contain real worms. Our results suggest that our approach is able to identify novel worms while at the same time the generated false alarms reach as low as zero percent.

Keywords

Internet; invasive software; telecommunication security; telecommunication traffic; Internet worms; content-based detection; cybersecurity incidents; destination hosts; false alarms; intime human-mediated reaction; real traffic traces; zero-day worms; Computer crime; Computer science; Computer worms; Detection algorithms; IP networks; Internet; Intrusion detection; Laboratories; Payloads; Telecommunication traffic;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications, 2005. ICC 2005. 2005 IEEE International Conference on

Print_ISBN

0-7803-8938-7

Type

conf

DOI

10.1109/ICC.2005.1494469

Filename

1494469