Title :
Detection of Silent Worms using Anomaly Connection Tree
Author :
Kawaguchi, Nobutaka ; Shigeno, Hiroshi ; Okada, Ken-ichi
Author_Institution :
Fac. of Sci. & Technol., Keio Univ., Yokohama
Abstract :
In this paper we propose a worm detection method that detects silent worms effectively in intranet and LANs. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose anomaly connection tree method (ACTM). ACTM uses two features present to most worms. First is that the worms´s propagation behaviour is expressed as tree-like structures composed of infection connections as edges. Second is that when selecting infection targets, the worm does not consider which hosts its infected host communicates to frequently. Then, by detecting composed of anomaly connections, ACTM detects the existence of worms. Through the simulation results, it has been shown that ACTM can detect the worms in an early stage of the propagation activities.
Keywords :
intranets; invasive software; local area networks; telecommunication security; trees (mathematics); LAN; anomaly connection tree method; intranet; silent worm detection method; Buffer overflow; Computational modeling; Computer networks; Computer simulation; Computer worms; Detection algorithms; Local area networks; Network servers; Tree data structures; Unicast;
Conference_Titel :
Advanced Information Networking and Applications, 2007. AINA '07. 21st International Conference on
Conference_Location :
Niagara Falls, ON
Print_ISBN :
0-7695-2846-5
DOI :
10.1109/AINA.2007.58
