Internet worms pose a serious threat to networks. Most current Intrusion Detection Systems (IDSs) take signature matching approach to detect worms. Given the fact that most signatures are developed manually, generating new signatures for each variant of a worm incurs significant overhead. In this paper, we propose a difference-based scheme which differences worm flows and normal flows to generate robust worm signatures. The proposed scheme is based on two observational facts -worm flows contain several invariant portions in their payloads, and core worm codes do not exist in normal flows. It uses samples of worm flows detected by available means to extract common tokens. It then differences the set of these tokens with those of normal flows and generates signature candidates. By using such signatures within enterprises, out of reach of worm writers, the possibility of being tricked by worm writers can be reduced. We evaluate the proposed scheme using real network traffic traces that contains worms. Experiment results show that the proposed scheme exhibits high detection rate with low false positives.
In this paper, we propose a signature-based hierarchical email worm detection (SHEWD) system to detect e-mail worms in large-scale networks. The proposed system detects novel worms and instantly generates their signatures. This feature helps to check the spread of any kind of worm-known or unknown.We envision a two-layer hierarchical architecture comprising local security managers (LSMs), metropolitan security managers (MSM), and a global security manager (GSM). Local managers collect suspicious flows and hand them to metropolitan managers. Metropolitan managers then use cluster analysis to sort worms from the suspicious flows. The sorted worms are used to generate the worm signature which is relayed to the global manager and then to all the collaborating networks. A separate scheme is proposed to automatically select suitable values of the system parameters. This parameter selection procedure takes into account the current network state and the threat level of the ongoing attack. The performance of the whole system is investigated using real network traffic with traces of worms. Experimental results demonstrate that the proposed scheme is capable to accurately detect email worms during the early phase of their propagations.
In light of the fast propagation of recent Internet worms, human intervention in securing the Internet during worm outbreaks is of little significance. In order to reduce the damage worms may cause, existing Intrusion Detection Systems (IDSs) need to be adaptive to the security-related requirements of their monitoring networks. This paper presents a Multilevel security based Autonomic Parameter Selector (MAPS) that can be implemented over any existing IDSs. The deployment architecture consists of a number of hierarchically placed local security managers, metropolitan security managers, and a global security manager. These security managers report events to a Worm Advisory System (WAS). WAS accordingly sets the threat level of the network. Based on this level, MAPS selects the most optimum parameters for the entire IDS to combat against the propagating worm. The MAPS architecture maintains the system performance by constantly evaluating three metrics, namely False Negative Avoidance, False Positive Avoidance, and Performance Overhead. Extensive experiments, using real network traffic and a recently proposed worm detection system, demonstrate that MAPS is capable of advising an IDS with optimum parameter values to effectively and promptly hinder further propagation of worms.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.