Detecting smart, self-propagating Internet worms

Author

Jun Li ; Stafford, Shad

Author_Institution

Network & Security Res. Lab., Univ. of Oregon, Eugene, OR, USA

fYear

2014

fDate

29-31 Oct. 2014

Firstpage

193

Lastpage

201

Abstract

Self-propagating worms can infect millions of computers on the Internet in just several minutes. Although there are already many existing worm detectors, none of them systematically consider the countermeasures from worm authors, leaving them potentially ineffective against smart, evasive worms. We therefore revisit worm detection in this paper. We treat worm detection as an arms race, and study how to most effectively detect not only classic worms (i.e. worms that do not have the knowledge of worm detectors), but also evasive worms that know the worm detector in place, know its configurations, and can even adjust their scanning rate by observing legitimate traffic. We describe our design of a new worm detector called SWORD, conduct extensive experiments using realistic trace with different parameters of worms, and demonstrate that SWORD is superior to existing detectors for detecting both classic and evasive worms.

Keywords

Internet; computer network security; invasive software; telecommunication traffic; SWORD worm detector; arms race; classic worms; legitimate traffic; scanning rate; smart evasive worms; smart self-propagating Internet worm detection; worm authors; worm parameters; Boolean functions; Data structures; Detectors; Grippers; Internet; Security; Training; Internet worm; behavior-based worm detection; smart worm; worm detection;

fLanguage

English

Publisher

ieee

Conference_Titel

Communications and Network Security (CNS), 2014 IEEE Conference on

Conference_Location

San Francisco, CA

Type

conf

DOI

10.1109/CNS.2014.6997486

Filename

6997486