Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

王勇超,谢永凯,朱之平,董亚波

DOI: https://doi.org/10.3969/j.issn.1001-3695.2010.01.070

2010-01-01

Abstract:This paper presented a method of analyzing the probability of Internet worm infection in internal network.Analyzed the packets through the switch in network by using the active of Internet worm,acquired the amount of abnormal packets,then analyzed the number of abnormal packets to get the abnormal packets rise rate by using AR model.Weighted the abnormal flow and abnormal packets rise rate in internal network,comprehensively estimated them and got the probability of Internet worm infection in internal network.The experiment results show that the method is effective and feasible.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

ZM Cai,TH Qin,X Guan,XB Ma,XM Zhou

2006-01-01

Abstract:Internet is perhaps the most complex man-made system. Its complexity makes internet security a very hard problem which attracts a lot of research interests. Recent large-scale and fast spreading internet worms led to researches in automated containment against self-propagating worms and early worm detection is widely believed as the essential choke point of worm containment. In this paper, two new concepts, flow intensity and flow distribution intensity, are proposed to capture fundamental characteristics of network traffic. Although raw network traffics are non-stable, we find that the calculated flow intensity and flow distribution intensity are stable processes with non-zero means. We also find that the abnormal network behavior, e.g. occurrences of worms, will lead to significant changes of the stable process's mean and variance. EWMA (Exponential Weighted Moving Average) control charts are applied to the detection of the change point and in turn the detection of early worm propagation. The extensive experimental results show that our method detects early worm propagation in local networks both quickly and accurately.

Yufeng Chen,Yabo Dong,Dongming Lu,Zhengtao Xiang

DOI: https://doi.org/10.1007/978-3-540-25952-7_47

2004-01-01

Abstract:Worm is becoming a more and more serious issue because worm attacks can cause huge loss in short time due to the fast-spreading character. When breaking out, worms induce abnormal traffic unlike the normal traffic, which gives us a clue of worm detecting by analyzing the abnormal characteristics of traffic involving worms, i.e. lumped traffic. Worm detection based on analyzing abnormal traffic characteristics has the advantage that it can detect novel worms without understanding the nature of the worms. And worm detection at network level is one possible detecting path, especially for Network Intrusion Detection Systems(NIDS). In this poster, we present the diversity of traffic characteristics between the normal traffic and worm traffic from the self-similarity point of view, which can be a preparation for the further investigation of the diversity of traffic characteristics between the normal traffic and lumped traffic.

Zhongmin Cai,Tao Qin

DOI: https://doi.org/10.3321/j.issn:0253-987X.2007.04.003

2007-01-01

Abstract:Based on NetFlow, the definition of two net-flows, Host-Net-Flow and Region-Net-Flow, as well as a depictive method for corresponding network traffic characteristics are proposed. The netflows are abstracted from the host level and network level by the definition. The incorporation of netflow information in bottom level is implemented, and the number of netflow records can significantly be reduced without losing key network traffic characteristics. EWMA (exponential weighted moving average) control chart models are employed to forecast and estimate the distilled network traffic features, then an early net-worm propagation detection method is presented considering the features of network worm propagation. The experimental results show that the early worm propagation in local networks can be detected both quickly and accurately by the proposed method, thereby worm propagation can be controlled as soon as possible.

Yufeng Chen,Yabo Dong,Dongming Lu,Yunhe Pan

DOI: https://doi.org/10.1007/11427995_50

2005-01-01

Abstract:Worms have been becoming a serious threat in web age because worms can cause huge loss due to the fast-spread property. To detect worms effectively, it is important to investigate the characteristics of worm traffic at individual source level. We model worm traffic with the multi-fractal process, and compare the multi-fractal property of worm and normal traffics at individual source level. The results show that the worm traffic possesses less multi-fractal property.

Yi Xin,Bin-Xing Fang,Xiao-Chun Yun,Hai-Yong Chen

DOI: https://doi.org/10.1109/PDCAT.2005.255

2005-01-01

Abstract:Nowadays, worms have been one of the leading threats to information security and service availability. Current operational practices have not been able to manage the threat effectively. So it is very important to make early warning of the burst of worm in large scale network. In this paper we analyze the real network traffic in large scale network. Based on long time statistic, we construct a network traffic model which concern two parameters: the traffic volume and curve of traffic function. And then we propose a method to computer the function curve of normal traffic function in ideal condition. We deployed them in our campus network (more than 20000 computers, 400M/s bandwidth to internet).It is shown that the worms are detected automatically and efficiently.

YF Chen,YB Dong,DM Lu,YH Pan,ZT Xiang

DOI: https://doi.org/10.1109/icnsc.2005.1461215

2005-01-01

Abstract:Worm detection system must detect worms efficiently and effectively. Current detection methods are mainly based on the property of low successful connections rate of worms. However, they may neglect worms if worms insert successful connections deliberately. Because the size in packets or bytes of normal TCP connections is heavy-tailed, we present a detection method by combining detection criteria of failed connections and heavy-tailed distribution of connection size for a given local host. It is more difficult for worms to evade. The method can decrease false negative and positive rates. The experiments show that our method can detect scanning worms with high efficiency and effectiveness.

Chen Bo,Bin Xing Fang,Xiao Chun Yun

DOI: https://doi.org/10.1007/11760146_16

2006-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new algorithm for detecting worms. Our algorithm first monitors the computers on network and gets the number of abnormal computers. Then based on the monitoring result, we detect an unknown worm by using recursive least squares estimation. The experiments result proves that our approach is effective to detect unknown worm.

P Wang,BX Fang,XC Yun

DOI: https://doi.org/10.1109/pdcat.2005.25

2005-01-01

Abstract:Worms have seriously harmed computer and network systems due to their rapid spread rate. Therefore, it is necessary to research automatic worm detection systems in large networks. In this paper, data stream based anomaly detection is used to screen out anomalous network data flow, subsequently, the signature is extracted. After analyzed, the signature is updated to the misuse detection pattern. Based on an automatic worm defense, a system could discover an epidemic situation effectively and detect an unknown worm.

H He,HL Zhang,WZ Zhang,MZ Hu,ZJ Tang

DOI: https://doi.org/10.1109/icmlc.2005.1527616

2005-01-01

Abstract:Worm detection methods play an important role as frequent breakouts of Internet worm result in tremendous economic destruction. On the basis of analyzing characteristics of normal network traffic distribution, an early worm detection method based on multi-similarity is proposed. It integrates the worms' behavior attribute with its traffic distribution and detects abnormal behavior by its distribution similarity of its certain features. According to the network simulation experiments, the detection method can find out the worms intrusion against the large-scale network traffic, which does not arouse the sharp changes of the network traffic.

LIU Peng,XIAO Zong-shui,LI Wei

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.032

2006-01-01

Abstract:Worm epidemic might spread at unprecedented high speed in high-speed links.And it is very necessary to design a compre-hensive automated defense system.The design of the system must base on high reliable detection accuracy and real-time traffic analysis.To solve these problems,a detecting method was presented which is based on the visualization of worm traffic flow.A simple and novel visualization scheme was introduced,which plots a packet in a 3-dimensional space using its source IP address,destination IP address and the destination port.After the high-speed link's traffic flow is visualized through this scheme,worms could be detected easily.Based on this character,an efficient attack detection and classification algorithm was brought forth.

Xiaojun Tong,Zhangquan Zhao,Huimin Shuai,Zhu Wang

DOI: https://doi.org/10.1109/DCABES.2010.51

2010-01-01

Abstract:At present there are some worm intrusion detection systems, primarily for a single LAN or with hardware router environment, which are not applicable for large-scale network detection or have high false alarm rate by using only worm propagation characteristics for detection. This paper analyzed worm non-linear propagation models and drew out the worm transmission curves. Then a distributed worm detection technology is designed. The novel distributed worm detection system consists of two parts, client end and console end programs. The system uses rule-based detection method to monitor network worms, and the console side manages and coordinates detection work of the client sides. Experimental results show that the technology is a good solution to worm detection in multiple network environments which can give an alarm with high detection rate and low false alarm rate when the known worm appears. © 2010 IEEE.

LIAO Ming-tao,ZHANG De-yun,HOU Lin,LI Jin-ku

DOI: https://doi.org/10.3969/j.issn.1000-7180.2007.05.030

2007-01-01

Abstract:On the basis of characteristics of network worms attack, a system for early detection of network worms based on failed connections analysis is proposed. This system detects worms in real-time by calculating dissimilar degree of failed connections traffic distribution from the normal state. Furthermore, a method of analyzing self-similarity of failed connections set is developed to reduce the false positives caused by traffic noise. The experiment based on a prototype system shows that the approach can detect unknown worms in real-time, extract possible features of worms scan, derive the list of likely infected hosts. Compared to existing methods, this system is more sensitive, and has a lower false positive rate.

Hui He,Mingyi Hu,Weizhe Zhang,Hongli Zhang

DOI: https://doi.org/10.1007/11739685_70

2006-01-01

Abstract:Internet worms constitute a major threat to the security of today’s networks. They work by exploiting vulnerabilities in operating systems and application software that run on end systems. In this paper, an effective algorithm for fast detection of worms is proposed. It integrates the worms’ behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution and changes in some of their attributes. The process of fast detection based on similarity is discussed in detail including threshold selection, similarity detection algorithm and fine analysis. Simulation experiments show that the detection algorithm can locate the worm infection prior to it spreading over the large-scale network.

Xiaojun Tong,Zhangquan Zhao,Huimin Shuai,Zhu Wang

DOI: https://doi.org/10.1109/WCINS.2010.5541811

2010-01-01

Abstract:At present there are some worm detection systems, primarily for a single LAN or with hardware router environment, which main use worm propagation characteristics for detection and has high false alarm rate, but it is not applicable for large-scale network for detecting. This paper presents a distributed worm detection technology, which is divided into two parts, client end and the console end program. The system uses the rule-based detection methods to monitor network worms, and the console side manages and coordinates the multiple side work of detecting. Experimental results show that the method can be good applicable for worms conduct surveillance based on a single or multiple local area network and is used for worm alarming, the method has high detection rate and low false alarm rate. © 2010 IEEE.

Ping Ren,Wu Liu,Ke Liu,Donghong Sun

DOI: https://doi.org/10.1109/IWCDM.2011.36

2011-01-01

Abstract:As the flooding of malicious codes such as worms, how to analyze large number of malicious samples quickly and effectively becomes a great issue for researchers in network security. This paper proposed an analysis algorithm for worm network behavior based on event sequence, which uses the data flow recombination and compression methods to process the pure malicious data. With this algorithm, one can quickly extract the network behavior profile and the signature of the worm. The application of this algorithm will greatly improve the efficiency of analyzing the worm network behavior, which will be significant for the deployment of firewalls and network invasion detection systems.

WEN Shi-qiang,DUAN Hai-xin,WU Jian-ping

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.05.007

2005-01-01

Abstract:New internet worm including many attack measures, such as virus, trojan and DDDS, will cause network block even paralysis, when it breaks out. A detection algorithm is brought forward which can find abnormity in the forepart of worm eruption by detection on variable rate of network flux, and then network administrators and emergency response teams can gain more time to take measures before worm blocks the network. This algorithm is evaluatedby DARPA98 intrusion detection evaluation system and has applied to real flux data of worm (Blaster、Nachi、slammer) eruption.