Worm Detection, Early Warning and Response Based on Local Victim Information

Guofei Gu
Georgia Institute of Technology
USA

Monirul Sharif
Georgia Institute of Technology
USA

Xinzhou Qin
Georgia Institute of Technology
USA

David Dagon
Georgia Institute of Technology
USA

Wenke Lee
Georgia Institute of Technology
USA

George Riley
Georgia Institute of Technology
USA

Worm detection systems have traditionally focused on global
strategies and required a large network, say $2^{20}$ nodes. The
value of this approach is clear; however, worm detection
techniques for smaller local networks have not been fully
explored. In the absence of a global worm detection system, we
examine the effectiveness of local worm detection and response
strategies.
This paper makes three contributions: (1) We propose a simple
two-phase local worm victim detection algorithm, DSC
(Destination-Source Correlation), based on worm behavior in terms
of both infection pattern and scanning pattern. DSC can detect
zero-day scanning worms with a high detection rate and very low
false positive rate. (2) We demonstrate the effectiveness of early
worm warning based on local victim information. For example,
warning occurs with 0.19\% infection of all vulnerable hosts on
Internet when using a /12 monitored network. (3) Based on local
victim information, we investigate and evaluate the effectiveness
of an automatic real-time local response in terms of slowing down
the global Internet worms propagation. (2) and (3) are general
results, not specific to certain detection algorithm like DSC. We
demonstrate (2) and (3) with both analytical models and
packet-level network simulator experiments.

Keywords: worm detection, early warning

Read Paper Read Paper (in PDF)