DocumentCode :
2858454
Title :
Detecting intra-enterprise scanning worms based on address resolution
Author :
Whyte, David ; Van Oorschot, Paul C. ; Kranakis, Evangelos
Author_Institution :
Sch. of Comput. Sci., Carleton Univ., Ottawa, Ont.
fYear :
2005
fDate :
5-9 Dec. 2005
Lastpage :
380
Abstract :
Signature-based schemes for detecting Internet worms often fail on zero-day worms, and their ability to rapidly react to new threats is typically limited by the requirement of some form of human involvement to formulate updated attack signatures. We propose an anomaly-based detection technique detailing a method to detect propagation of scanning worms within individual network cells, thus protecting internal networks from infection by internal clients. Our software implementation indicates that this technique is both accurate and rapid enough to enable automatic containment and suppression of worm propagation within a network cell. Our approach relies on an aggregate anomaly score, derived from the correlation of address resolution protocol (ARP) activity from individual network attached devices. Our preliminary analysis and prototype indicate that this technique can be used to rapidly detect zero-day worms within a very small number of scans
Keywords :
Internet; invasive software; address resolution protocol; aggregate anomaly score; anomaly-based detection; internal network protection; intraenterprise scanning worm detection; worm suppression; zero-day worms; Aggregates; Broadcasting; Computer science; Computer worms; Humans; Internet; Proposals; Protection; Protocols; Prototypes;
fLanguage :
English
Publisher :
ieee
Conference_Titel :
Computer Security Applications Conference, 21st Annual
Conference_Location :
Tucson, AZ
ISSN :
1063-9527
Print_ISBN :
0-7695-2461-3
Type :
conf
DOI :
10.1109/CSAC.2005.20
Filename :
1565264
Link To Document :
بازگشت