Passive Worm and Malware Detection in Peer-to-Peer Networks

Today P2P networks are responsible for a large amount of traffic on the Internet, as many Internet users employ such networks for content distribution. At the same time, P2P networks are vulnerable to security threats such as Internet worms and facilitate their propagation. Internet worms and more generally malware are a major concern to the network security community. There are many different type of worms in the wild, mostly categorized based on how they find and infect their new victims (i.e. active, passive, etc.). In this paper, we investigate a new approach for detecting passive worms and malware in P2P networks based on the popularity of files in the network. As part of our investigation, we crawl the Gnutella P2P network over a 12 day period collecting file names and file popularity statistics. We are then able to extract the highly popular files and identify worm/malware files within them with high accuracy.