DAWN: A Novel Strategy for Detecting ASCII Worms in Networks

While a considerable amount of research has been done for detecting the binary worms exploiting the vulnerability of buffer overflow, very little effort has been spent in detecting worms that consist of only text, Le., printable ASCII characters. We show that the existing worm detectors often either do not examine the ASCII stream or are not well suited to efficiently detect worms in the ASCII stream due to the structural properties of the ASCII payload. In this paper, we analyze the potentials and constraints of the ASCII worms vis-a-vis their binary counterpart, and devise a detection technique that would exploit those limitations. We introduce DAWN, a novel ASCII worm detection strategy that is fast, easily deployable, and has very little overhead. Unlike many signature-based detection methods, DAWN is completely signature-free and therefore capable of detecting zero-day outbreak of ASCII worms.