CERIAS Intrusion Detection Research Group, Purdue University
USA
Worms continue to be a leading security threat on the Internet. This paper analyzes several of the more wide-spread worms and develops a general life-cycle for them. The life-cycle, from the point of view of the victim host, consists of four stages: target selection, exploitation, infection, and propagation. While not all worms fall into this framework perfectly, by understanding them in this way, it becomes apparent that the majority of detection techniques used today focus on the first three stages. This paper presents a technique that is used in the fourth stage to detect the class of worms that use a horizontal scan to propagate. An argument is also made that detection in the fourth stage is a viable, but under-used technique.
Keywords: worm, life-cycle, portscan, target selection, exploit, outbound, infection