Packet sampling for worm and botnet detection in TCP connections

Malware and botnets pose a steady and growing threat to network security. Therefore, packet analysis systems examine network traffic to detect active botnets and spreading worms. However, with the advent of multi-gigabit link speeds, capturing and analysing header and payload of every packet requires enormous amounts of computational resources and is therefore not feasible in many situations. We address this problem by presenting an efficient packet sampling algorithm that picks a small number of packets from the beginning of every TCP connection. Bloom filters are used to store the required connection state information with constant amount of memory. Our analysis of worm and botnet traffic shows that the large majority of attack signatures is actually found in these packets. Thus, our sampling algorithm can be deployed in front of a detection system to reduce the amount of inspected packets without degrading the detection results significantly.