An Efficient Signature-Based Approach for Automatic Detection of Internet Worms over Large-Scale Networks

Internet Worms pose a serious threat to today´s Internet. Signature matching is an important approach to detect worms. However, as most signature development processes are manual, they require significant time. They are thus not efficient in reducing the damage worms may cause. In this paper, an efficient signature-based method is proposed for automatic detection of worms over large-scale networks. In the proposed system, detection is performed in a hierarchical manner. Security managers of local networks collect worm-like or suspicious flows and handle these flows to high-hierarchy metropolitan managers. In response, the latter use this information to generate robust signature. The global manager which lies on top of the hierarchy, multicasts the signature to local managers via metropolitan managers. This enables local managers to detect worms that try to penetrate into their networks. The proposed system is evaluated using an off-line real network traffic that contains traces of worms. Experimental results indicate that the proposed system exhibits high detection rates with low false alarm rates.