An innovative behavioral approach to worm detection

Author

Li, Zongsheng

Author_Institution

Comput. Network & Inf. Security Res. Center(IV), Harbin Inst. of Technol., Weihai, China

fYear

2011

fDate

Nov. 29 2011-Dec. 1 2011

Firstpage

666

Lastpage

670

Abstract

This paper presents a new approach to the automatic detection of worms using behavioral signature with sequential hypothesis testing. Characteristic patterns of worm behaviors in network traffic include 1) sending similar data from one machine to the next, 2) tree-like propagation and reconnaissance, and 3) changing a server into a client [1]. 4) infected hosts should meet the basic requirements [2]. This sequential hypothesis testing theory first developed by Wald [3] overcomes the hurdle that it´s difficult to find a threshold of determining whether a host is infected when we build a tree of worm propagation. Besides, to slow down the propagation of worms we alter an existing method which is connection rate limiting to packet-sending rate limiting. Our results that show this approach successfully restricts the number of packets sent by worms, has a low false alarm rate and a low missing alarm rate.

Keywords

Internet; invasive software; trees (mathematics); automatic worm detection; connection rate limiting; innovative behavioral approach; low false alarm rate; low missing alarm rate; network traffic; packet-sending rate limiting; sequential hypothesis testing; tree-like propagation; worm behaviors; worm propagation; Equations; Grippers; Internet; Limiting; Reconnaissance; Servers; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Sciences and Convergence Information Technology (ICCIT), 2011 6th International Conference on

Conference_Location

Seogwipo

Print_ISBN

978-1-4577-0472-7

Type

conf

Filename

6316700