Haibin Shen

2008-01-01

Abstract:In order to prevent the huge damage caused by computer worms,an innovative approach using support vector machine(SVM) classifier for detecting unknown computer worm based on the measurement of computer performance was proposed to alarm Internet users.In the experiment,system features were monitored from window performance counters with different applications running on and bayesian network theorem was applied on selecting features from which the judging rule is deduced by SVM.As proved by the result from testing experiment,the system can detect the presence of an unknown worm by reaching high accuracy,so that it can be well known that the model using SVM active learning the less prior knowledge has a good performance on detecting unknown computer worms.

Bo CHEN,Bin-Xing FANG,Xiao-Chun YUN

2007-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new monitoring algorithm. Based on the monitoring result, we present an adaptive method to detect un-known worm by using recursive least squares estimation. The experiment result proves that our approach can be effectively, quickly and robust to detect unknown worm.

朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

Bo CHEN,Bin-xing FANG,Xiao-chun YUN

DOI: https://doi.org/10.3321/j.issn:0367-6234.2007.03.025

2007-01-01

Abstract:The worm's behavior model and propagation model are presented.Then a new approach to early detection of Internet worms is provided.The method can be divided into two parts: monitoring computers' connection degree in metwork and detecting Internet worms using method of least squares.The experiment result proves that our approach is effectively and quickly to detect unknown worm.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

C Bo,BX Fang,XC Yun

DOI: https://doi.org/10.1109/icmlc.2005.1527351

2005-01-01

Abstract:In recent years, Internet-scale worm incidents occurred many times. People wonder at the speediness of the worm spread and the severe damage to the Internet. So people began to find methods to detect worms as quickly as possible. The paper first describes a worm behavior and propagation model. And then based on it, a new approach for early detection of Internet worms is proposed. This approach determines whether a worm incident has occurred by the change of the computers' connection degree. The approach is proved to be effective on early detection of unknown worms by experiments.

Hui He,Ming-Zeng Hu,Wei-Zhe Zhang,Hong-Li Zhang

2005-01-01

Abstract:Internet worms are becoming a major threat to the security of today's large-scale networks. The fast spreading nature of worms calls for a worm monitoring and early detection system. In this paper, an effective algorithm for early detection of the active worms and the corresponding detection system are proposed. The detection engine is the key components to the system, and the early detection algorithm based on multi-similarity is discussed in detail, which is the core of the engine, that integrates the worms' behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution change of some attributes. Our simulation experiments show that the system can detect the presence worms intrusion when attacks don't arouse the sharp changes of the network traffic. It can detect the worm attack ahead of its overspreading on the large-scale network.

Chen Bo,Bin-Xing Fang,Jun Zheng,Xiao-Chun Yun

2006-01-01

Abstract:Worm attacks represent a major security problem. It is clear that a simple self-propagation worm can quickly spread on Internet. And every worm incident can cause severe damage to our society. The main task of defense mechanism is to quickly detect worm attacks and response to constrain their propagation. We propose a distributed mechanism which is composed of two parts: a Date Processing Centre and distributed sensors for defending against worm attacks. These distributed sensors monitor the network and detect worm. Once a worm attack is detected, a dropping packet mechanism is used so that (1) the worm propagation is constrained, and (2) number of interference with normal activity is minimize. We report experimental results to prove the robustness and efficiency of the proposed defense mechanism.

Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Chen Bo,Yu Xiangzhan,Fang Binxing,Yun Xiaochun

DOI: https://doi.org/10.1007/s11460-007-0087-7

2007-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:There appear many Internet-scale worm incidents in recent years, which have caused severe damage to the society. It is clear that a simple self-propagation worm can quickly spread across the Internet. Therefore, it is necessary to implement automatic mitigation which can detect worm and drop its packet. In this paper, the worm’s framework was first analyzed and its two characteristics were detected. Based on the two characteristics, a defending algorithm was presented to protect network. Experimental results verify that our algorithm is very effective to constrain the worm propagation and meanwhile it almost does not interfere in normal activity.

Hui He,Mingyi Hu,Weizhe Zhang,Hongli Zhang

DOI: https://doi.org/10.1007/11739685_70

2006-01-01

Abstract:Internet worms constitute a major threat to the security of today’s networks. They work by exploiting vulnerabilities in operating systems and application software that run on end systems. In this paper, an effective algorithm for fast detection of worms is proposed. It integrates the worms’ behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution and changes in some of their attributes. The process of fast detection based on similarity is discussed in detail including threshold selection, similarity detection algorithm and fine analysis. Simulation experiments show that the detection algorithm can locate the worm infection prior to it spreading over the large-scale network.

P Wang,BX Fang,XC Yun

DOI: https://doi.org/10.1109/pdcat.2005.25

2005-01-01

Abstract:Worms have seriously harmed computer and network systems due to their rapid spread rate. Therefore, it is necessary to research automatic worm detection systems in large networks. In this paper, data stream based anomaly detection is used to screen out anomalous network data flow, subsequently, the signature is extracted. After analyzed, the signature is updated to the misuse detection pattern. Based on an automatic worm defense, a system could discover an epidemic situation effectively and detect an unknown worm.

LIAO Ming-tao,ZHANG De-yun,HOU Lin,LI Jin-ku

DOI: https://doi.org/10.3969/j.issn.1000-7180.2007.05.030

2007-01-01

Abstract:On the basis of characteristics of network worms attack, a system for early detection of network worms based on failed connections analysis is proposed. This system detects worms in real-time by calculating dissimilar degree of failed connections traffic distribution from the normal state. Furthermore, a method of analyzing self-similarity of failed connections set is developed to reduce the false positives caused by traffic noise. The experiment based on a prototype system shows that the approach can detect unknown worms in real-time, extract possible features of worms scan, derive the list of likely infected hosts. Compared to existing methods, this system is more sensitive, and has a lower false positive rate.

Xiao Ying,Yun Xiaochun,Xin Yi

DOI: https://doi.org/10.3321/j.issn:1002-8331.2006.07.035

2006-01-01

Abstract:Nowadays,the worm becomes the biggest threat in the Internet,the method of propagation of worm is becoming more intelligent and enshrouded.Search engines are used to retrieve interesting things,meanwhile,they can be used by worm for propagation.Worms based on search engines implement enshrouded,precise propagation with small network traffic.In this paper,we introduce the feature of this kind of worm,and then we propose a client search model and an anomalous detection algorithm.This method is proved to be of high efficiency by experiments.

H He,HL Zhang,WZ Zhang,MZ Hu,ZJ Tang

DOI: https://doi.org/10.1109/icmlc.2005.1527616

2005-01-01

Abstract:Worm detection methods play an important role as frequent breakouts of Internet worm result in tremendous economic destruction. On the basis of analyzing characteristics of normal network traffic distribution, an early worm detection method based on multi-similarity is proposed. It integrates the worms' behavior attribute with its traffic distribution and detects abnormal behavior by its distribution similarity of its certain features. According to the network simulation experiments, the detection method can find out the worms intrusion against the large-scale network traffic, which does not arouse the sharp changes of the network traffic.

ZM Cai,TH Qin,X Guan,XB Ma,XM Zhou

2006-01-01

Abstract:Internet is perhaps the most complex man-made system. Its complexity makes internet security a very hard problem which attracts a lot of research interests. Recent large-scale and fast spreading internet worms led to researches in automated containment against self-propagating worms and early worm detection is widely believed as the essential choke point of worm containment. In this paper, two new concepts, flow intensity and flow distribution intensity, are proposed to capture fundamental characteristics of network traffic. Although raw network traffics are non-stable, we find that the calculated flow intensity and flow distribution intensity are stable processes with non-zero means. We also find that the abnormal network behavior, e.g. occurrences of worms, will lead to significant changes of the stable process's mean and variance. EWMA (Exponential Weighted Moving Average) control charts are applied to the detection of the change point and in turn the detection of early worm propagation. The extensive experimental results show that our method detects early worm propagation in local networks both quickly and accurately.