Effective worm detection for various scan techniques

Xia, Jianhong; Vangala, Sarma; Wu, Jing; Gao, Lixin; Kwiat, Kevin

doi:10.3233/jcs-2006-14403

Cited by 18 publications

(17 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We denote each as U1 through U5 (user applications), W1 through W5 (worms), and M1 through M5 (updates or daemons). We include 5 Windows-based worms of representative samples based on their scanning strategy [16], [28] as shown in Table 3. However we cannot exploit Linux worm because it's not working on Windows system.…”

Section: Experimental Settingmentioning

confidence: 99%

See 1 more Smart Citation

PC Worm Detection System Based on the Correlation between User Interactions and Comprehensive Network Behaviors

Seo

Deok

Zhu

et al. 2013

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYAnomaly-based worm detection is a complement to existing signature-based worm detectors. It detects unknown worms and fills the gap between when a worm is propagated and when a signature is generated and downloaded to a signature-based worm detector. A major obstacle for its deployment to personal computers (PCs) is its high false positive alarms since a typical PC user lacks the skill to handle exceptions flagged by a detector without much knowledge of computers. In this paper, we exploit the feature of personal computers in which the user interacts with many running programs and the features combining various network characteristics. The model of a program's network behaviors is conditioned on the human interactions with the program. Our scheme automates detection of unknown worms with dramatically reduced false positive alarms while not compromising low false negatives, as proved by our experimental results from an implementation on Windows-based PCs to detect real world worms.

show abstract

Section: Experimental Settingmentioning

confidence: 99%

“…EarlyBird system [15] automatically generates potential worm signatures by inspecting traffic patterns and relationships between sources and destinations addresses. Xia et al [16] demonstrated how to detect worms by analyzing packets with unused destination addresses.…”

Section: Introductionmentioning

confidence: 99%

PC Worm Detection System Based on the Correlation between User Interactions and Comprehensive Network Behaviors

Seo

Deok

Zhu

et al. 2013

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Relies only on ARP activity; does not correlate ARP requests and replies; [24] History based IP worm detection Source addresses of connection requests are unlikely to have been seen at the network previously; [25] Victim Number based approach Random scanning techniques used by worms induce a large number of packets to inactive addresses or inactive services…”

Section: Scanning and Infection Patternmentioning

confidence: 99%

A Tour of the Computer Worm Detection Space

Ochieng¹,

Mwangi²,

Ateya³

2014

IJCA

View full text Add to dashboard Cite

Computer worm detection has been a challenging and often elusive task. This is partly because of the difficulty of accurately modeling either the normal behavior of computer networks or the malicious actions of computer worms. This paper presents a literature review on the worm detection techniques, highlighting the worm characteristics leveraged for detection and the limitations of the various detection techniques. The paper broadly categorizes the worm detection approaches into content signature based detection, polymorphic worm detection, anomaly based detection, and behavioral signature based detection. The gap in the literature in the techniques is indicated and is the main contribution of the paper.

show abstract

“…, F m , where F i is given to host i ∈ M. If each of F i is an ordered subset of F, we call this arrangement a block-split. In the context of the Internet, a pre-permutation scanner [4], [25] first applies partitioning g 2 to F and then permutes each F i using some algorithm g 1 to produce the final assignment [3], [8], [18], [19], [20], [28], [42], [44] first applies permutation g 1 to F and then partitions list…”

Section: B Scan Patternsmentioning

confidence: 99%

Stochastic analysis of horizontal IP scanning

Leonard

Yao

Wang

et al. 2012

2012 Proceedings IEEE INFOCOM

View full text Add to dashboard Cite

Abstract-Intrusion Detection Systems (IDS) have become ubiquitous in the defense against virus outbreaks, malicious exploits of OS vulnerabilities, and botnet proliferation. As attackers frequently rely on host scanning for reconnaissance leading to penetration, IDS is often tasked with detecting scans and preventing them. However, it is currently unknown how likely an IDS is to detect a given Internet-wide scan pattern and whether there exist sufficiently fast scan techniques that can remain virtually undetectable at large-scale. To address these questions, we propose a simple analytical model for the window-expiration rules of popular IDS tools (i.e., Snort and Bro) and utilize a variation of the Chen-Stein theorem to derive the probability that they detect some of the commonly used scan permutations. Using this analysis, we also prove the existence of stealth-optimal scan patterns, examine their performance, and contrast it with that of well-known techniques.

show abstract

Effective worm detection for various scan techniques

Cited by 18 publications

References 13 publications

PC Worm Detection System Based on the Correlation between User Interactions and Comprehensive Network Behaviors

PC Worm Detection System Based on the Correlation between User Interactions and Comprehensive Network Behaviors

A Tour of the Computer Worm Detection Space

Stochastic analysis of horizontal IP scanning

Contact Info

Product

Resources

About