Detection of Silent Worms using Anomaly Connection Tree

Author

Kawaguchi, Nobutaka ; Shigeno, Hiroshi ; Okada, Ken-ichi

Author_Institution

Fac. of Sci. & Technol., Keio Univ., Yokohama

fYear

2007

fDate

21-23 May 2007

Firstpage

412

Lastpage

419

Abstract

In this paper we propose a worm detection method that detects silent worms effectively in intranet and LANs. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose anomaly connection tree method (ACTM). ACTM uses two features present to most worms. First is that the worms´s propagation behaviour is expressed as tree-like structures composed of infection connections as edges. Second is that when selecting infection targets, the worm does not consider which hosts its infected host communicates to frequently. Then, by detecting composed of anomaly connections, ACTM detects the existence of worms. Through the simulation results, it has been shown that ACTM can detect the worms in an early stage of the propagation activities.

Keywords

intranets; invasive software; local area networks; telecommunication security; trees (mathematics); LAN; anomaly connection tree method; intranet; silent worm detection method; Buffer overflow; Computational modeling; Computer networks; Computer simulation; Computer worms; Detection algorithms; Local area networks; Network servers; Tree data structures; Unicast;

fLanguage

English

Publisher

ieee

Conference_Titel

Advanced Information Networking and Applications, 2007. AINA '07. 21st International Conference on

Conference_Location

Niagara Falls, ON

ISSN

1550-445X

Print_ISBN

0-7695-2846-5

Type

conf

DOI

10.1109/AINA.2007.58

Filename

4220922