Yufeng Chen,Zhengtao Xiang,Yabo Dong,Dongming Lu

DOI: https://doi.org/10.1109/ical.2008.4636301

2008-01-01

Abstract:Worms not only infect vulnerable hosts, but also occupy a large amount of network bandwidth, which affects the normal operation of the network seriously. To achieve the worm detection and automatic quarantine in real time, a cooperation system of worm detection and quarantine is designed and implemented. The worm detection subsystem is implemented based on Bro and can detect worms in real time with our algorithm, which based on the failure probability of FCC and of heavy-tailed property. The worm quarantine subsystem can quarantine worm hosts automatically with ARP-spoofing. The cooperation between detection subsystem, quarantine subsystem and manager is achieved based on SNMP protocol. The system can be deployed easily with little effect on LAN. Experimental results show that the system can detect and quarantine worm hosts effectively.

向郑涛,陈宇峰,董亚波,鲁东明

DOI: https://doi.org/10.16208/j.issn1000-7024.2009.05.037

2009-01-01

Abstract:The worm detection technologies are discussed. Anomaly detection will be a promising development because of the ability to detect unknown worms. For passive detection, the HoneyPot system designed deliberately with vulnerabilities is used to attract atta- ckers, collect attack information and process analysis. Active detection methods can process the mixed traffics of benign hosts and worm hosts, including the payload-based and behavior-based worm detection methods. The characters and applicability of each method are discussed. The viewpoint that more effective worm detection indices are needed for detection methods is proposed. Based on the diffe- rences of traffic self-similarity between benign hosts and worm hosts, the idea on how to select real-time detection indices is interpreted.

Haibin Shen

2008-01-01

Abstract:In order to prevent the huge damage caused by computer worms,an innovative approach using support vector machine(SVM) classifier for detecting unknown computer worm based on the measurement of computer performance was proposed to alarm Internet users.In the experiment,system features were monitored from window performance counters with different applications running on and bayesian network theorem was applied on selecting features from which the judging rule is deduced by SVM.As proved by the result from testing experiment,the system can detect the presence of an unknown worm by reaching high accuracy,so that it can be well known that the model using SVM active learning the less prior knowledge has a good performance on detecting unknown computer worms.

朱禹,沈海斌,周喜川

DOI: https://doi.org/10.3969/j.issn.1005-9490.2008.06.060

2008-01-01

Abstract:Comparing to the common anti-virus tools,we propose a new host-based approach for detecting unknown computer worms based on the measurement of computer behaviors,rather than recognizing specific instances of worms.We collected 323 features in order to reflect the computer behaviors and used a new feature selection method to reduce classified features.In the experiment,Bayesian Network theorem was applied on the several feature subsets to deduce the rule.We performed several experiments to evaluate the detection system,focusing on computer worms being injected in the computer while running several programs in order to simulate different background statuses.The average accuracy we achieved was above 80% for unknown worms sample and for known worms even above 99%.

WANG Wei,LU Dongming,DONG Yabo,CHEN Yufeng

DOI: https://doi.org/10.3969/j.issn.1000-3428.2006.17.072

2006-01-01

Abstract:With the rapid development of computer technology,Internet applications are used more and more widely,computer networks are exposed to various threats,especially network worms.This paper introduces the definition and principle of network worms,and based on the mechanism of network worms,it proposes and implements a network worm detection system for Internal network,which is proved to be able to detect the network worm accurately.

BaiLing Wang,BinXing Fang,XiaoChun Yun

DOI: https://doi.org/10.1007/11590354_9

2005-01-01

Abstract:A new detection approach based on worm behaviors for IDS anti-worm is presented. By the method, the susceptible hosts probed by worms can be detected, and then an immediate counter-attack to the susceptible host can be proposed. As a case study, a simulation on the IDS-based anti-worm counter-attacking the malicious worm is given, which shows the new containment is much more effective and bring less traffic to network than the traditional one. It can be used as a reference for Grid security infrastructure.

Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Ye Guo,Miaoliang Zhu

DOI: https://doi.org/10.1109/IMSCCS.2006.178

2006-01-01

Abstract:Considering the shortcomings of the current worm Defense system, an agent-oriented worm Defense system, AOSWD, is proposed in this paper. In the hierarchical framework of AOSWD, the agents are independent but can roam in the network freely and collaborate with each other to defend against Internet worms. In this paper, we discuss the system architecture and the realization details, propose the key technique for the system and analyze the system performance.

Chen Bo,Bin Xing Fang,Xiao Chun Yun

DOI: https://doi.org/10.1007/11760146_16

2006-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new algorithm for detecting worms. Our algorithm first monitors the computers on network and gets the number of abnormal computers. Then based on the monitoring result, we detect an unknown worm by using recursive least squares estimation. The experiments result proves that our approach is effective to detect unknown worm.

Chen Bo,Yu Xiangzhan,Fang Binxing,Yun Xiaochun

DOI: https://doi.org/10.1007/s11460-007-0087-7

2007-01-01

Frontiers of Electrical and Electronic Engineering in China

Abstract:There appear many Internet-scale worm incidents in recent years, which have caused severe damage to the society. It is clear that a simple self-propagation worm can quickly spread across the Internet. Therefore, it is necessary to implement automatic mitigation which can detect worm and drop its packet. In this paper, the worm’s framework was first analyzed and its two characteristics were detected. Based on the two characteristics, a defending algorithm was presented to protect network. Experimental results verify that our algorithm is very effective to constrain the worm propagation and meanwhile it almost does not interfere in normal activity.

ZHAO Yuan-dong,YANG Xiong,YUN Xiao-chun

DOI: https://doi.org/10.3321/j.issn:1000-8608.2005.z1.042

2005-01-01

Abstract:Based on the comparison and analysis of several worms containment strategy,a new and effective strategy of worm dynamic defence and containment(which is named DDWC) is proposed.The effectiveness for containing top-speed scan worm and slow-speed scan worm is demonstrated.The impact of normal network traffic on the containment strategy is also analyzed so that it brings down false positives largely.The simulation results have verified that the improved two-rotation quarantine algorithm can contain worms effectively and create lower false alarms.

Bo CHEN,Bin-Xing FANG,Xiao-Chun YUN

2007-01-01

Abstract:After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagation worm can quickly spread across the Internet. And every worm incidents can cause severe damage to our society. So it is necessary to build a system that can detect the presence of worm as quickly as possible. This paper first analyzes the worm’s framework and its propagation model. Then, we describe a new monitoring algorithm. Based on the monitoring result, we present an adaptive method to detect un-known worm by using recursive least squares estimation. The experiment result proves that our approach can be effectively, quickly and robust to detect unknown worm.

Yang Xiong,Zhu Yuguang,Yun Xiaochun

DOI: https://doi.org/10.3969/j.issn.1000-386X.2010.05.084

2010-01-01

Abstract:Based on the analytical comparison of quite a few worm detection and restraint strategies,an improved dual-cycle worm detection and restraint algorithm is proposed in this paper.The effectiveness of the algorithm in detecting and restraining the attacks from normal worm scanning and concealed worm scanning is discussed.Meanwhile the impact of misusing routine network traffic is also taken into consideration,so that it brings down the false alarm rate greatly.At last,the worm detection effect of the algorithm is analysed through the simulation experiment in the backgrounds of usual network and congestion network,the results verifies that the algorithm can detect and restrain worms effectively whilst the false alarms is quite low.

ZHANG Xin-Yu,QING Si-Han,LI Qi,LI Da-Zhi,HE Zhao-Hui

DOI: https://doi.org/10.1360/jos180412

2007-01-01

Journal of Software

Abstract:There are several global detection methods, but they do not apply to local net. A new cooperative approach to automatic detection of worms using local nets is presented in this paper, which is called CWDMLN (coordinated worm detection method based on local nets). This algorithm focuses on scanning worm characteristics in local nets and uses different methods to cope with different worm behaviors, including using honeypots to deceive worms. CWDMLN coordinates these methods to give graded alarms to notify worm attacks. The grades reflect reliability of alarms. Experimental results show that this approach is promising for it can quickly find worm intrusion in local nets and extract unknown worm signatures that can be used for IDS (intrusion detection system) or firewall to prevent more worm threats. This method can also contribute to global worm alarming by scaling.

P Wang,BX Fang,XC Yun

DOI: https://doi.org/10.1109/pdcat.2005.25

2005-01-01

Abstract:Worms have seriously harmed computer and network systems due to their rapid spread rate. Therefore, it is necessary to research automatic worm detection systems in large networks. In this paper, data stream based anomaly detection is used to screen out anomalous network data flow, subsequently, the signature is extracted. After analyzed, the signature is updated to the misuse detection pattern. Based on an automatic worm defense, a system could discover an epidemic situation effectively and detect an unknown worm.

Hui He,Ming-Zeng Hu,Wei-Zhe Zhang,Hong-Li Zhang

2005-01-01

Abstract:Internet worms are becoming a major threat to the security of today's large-scale networks. The fast spreading nature of worms calls for a worm monitoring and early detection system. In this paper, an effective algorithm for early detection of the active worms and the corresponding detection system are proposed. The detection engine is the key components to the system, and the early detection algorithm based on multi-similarity is discussed in detail, which is the core of the engine, that integrates the worms' behavior attributes with their traffic distribution and detects abnormal behavior by their similarity distribution change of some attributes. Our simulation experiments show that the system can detect the presence worms intrusion when attacks don't arouse the sharp changes of the network traffic. It can detect the worm attack ahead of its overspreading on the large-scale network.

Matthew Dunlop,Carrie Gates,Cynthia Wong,Chenxi Wang

DOI: https://doi.org/10.1007/978-3-540-76843-2_44

2007-01-01

Abstract:Detection of fast-spreading Internet worms is a problem for which no adequate defenses exist. In this paper we present a Simple Worm Detection scheme (SWorD). SWorD is designed as a statistical detection method for detecting and automatically filtering fast-spreading TCP-based worms. SWorD is a simple two-tier counting algorithm designed to be deployed on the network edge. The first-tier is a lightweight traffic filter while the second-tier is more selective and rarely invoked. We present results using network traces from both a small and large network to demonstrate SWorD's performance. Our results show that SWorD accurately detects over 75% of all infected hosts within six seconds, making it an attractive solution for the worm detection problem.

C Bo,BX Fang,XC Yun

DOI: https://doi.org/10.1109/icmlc.2005.1527351

2005-01-01

Abstract:In recent years, Internet-scale worm incidents occurred many times. People wonder at the speediness of the worm spread and the severe damage to the Internet. So people began to find methods to detect worms as quickly as possible. The paper first describes a worm behavior and propagation model. And then based on it, a new approach for early detection of Internet worms is proposed. This approach determines whether a worm incident has occurred by the change of the computers' connection degree. The approach is proved to be effective on early detection of unknown worms by experiments.

ZHENG Hui,DUAN Haixin

2004-01-01

Abstract:Most of researches focus on modeling and detection of the Internet worm propagation, but in practice, the final objects are containment and elimination of Internet worm, which have not received enough research effects. In this paper, three categories of active technologies to contain Internet worm were introduced: vaccination for containing susceptible machines, forcing shutdown for containing infected machines, and bidirectional leading for containing worm spreading traffic. These technologies can be adopted to construct one or more automated Internet worm defense systems in any phase of Internet worm defense: prevention, detection, containment and elimination. Our experiment in large scale network shows that when combined with those active technologies, automated Internet worm defense systems are more effective to contain the Internet worm and to shorten the defense time.

Matthew Dunlop,Carrie Gates,Cynthia Wong,Chenxi Wang

2007-01-01

Abstract:Detection of fast-spreading Internet worms is a problem for which no adequate defenses exist. In this paper we present a S imple Worm Detection scheme (SWorD). SWorD is designed as a statistical detection method for detecting and automatically filtering fast-spreading TCP-based worms. SWorD is a simple two-tier counting algorithm designed to be deployed on the network edge. The first-tier is a lightweight traffic filter while the second-tier is more selective and rarely invoked. We present results using network traces from both a small and large network to demonstrate SWorD ’s performance. Our results show that SWorD accurately detects over 75% of all infected hosts within six seconds, making it an attractive solution for the worm detection problem.