Relative Entropy-Based Filtering of Internet Worms by Inspecting TCP SYN Retry Packets

Although many defense techniques against scanning worms have been developed, they have difficulty in ingress filtering if the incoming scanning traffic has insufficient intensity, which is usually the case. To make matters worse, legitimate Internet services behaving like worms and dynamic network environments undermines the efficacy of the techniques. In this paper, we propose a simple and efficient defense algorithm against Internet scanning worms that has high detection rate and low false positive rate. Our defense algorithm observes the protocol behavior of TCP SYN retries and applies a relative entropy scheme, which is used for measuring the distance between two distributions, to process the collected information. It builds up the black-list to isolate detected hosts from the Internet, and adjusts related parameters adaptively according to the observed traffic. Moreover, it acquires the simplicity and effectiveness at the ingress point only by inspecting SYN retry on a unidirectional link, which makes the defense mechanism easily applicable to a network. Against real-life traces, we investigate the performance of our algorithm and compare it with that of SNORT. The results manifest clearly that our algorithm outperforms the rate-based detection technique in terms of detection rate, detection speed and false positive rate.