Research Article
Effective Detection of Active Worms with Varying Scan Rate
@INPROCEEDINGS{10.1109/SECCOMW.2006.359549, author={Wei Yu and Xun Wang and Dong Xuan and David Lee}, title={Effective Detection of Active Worms with Varying Scan Rate}, proceedings={2nd International ICST Conference on Security and Privacy in Comunication Networks}, publisher={IEEE}, proceedings_a={SECURECOMM}, year={2007}, month={5}, keywords={Worm attacks Varying scan rate Anomaly detection}, doi={10.1109/SECCOMW.2006.359549} }- Wei Yu
Xun Wang
Dong Xuan
David Lee
Year: 2007
Effective Detection of Active Worms with Varying Scan Rate
SECURECOMM
IEEE
DOI: 10.1109/SECCOMW.2006.359549
Abstract
Active worms have been posing a major security threat to today's Internet. It is widely believed that active worms continue their evolutions. In this paper, we model a new form of active worms called varying scan rate worm (the VSR worm in short). The VSR worm deliberately varies its scan rate and is able to avoid being effectively detected by existing worm detection schemes. The emerging "Atak" worm belongs to this category of worms. To countermeasure the VSR worm, we design a new worm detection scheme called attack target distribution entropy based dynamic detection scheme (DEC detection in short). DEC detection utilizes the attack target distribution and its statistical entropy in conjunction with dynamic decision rules to distinguish worm scan traffic from non-worm scan traffic. We conduct extensive performance evaluations on the DEC detection scheme, using real-world traces as background scan traffic. Our data clearly demonstrates the effectiveness of the DEC detection scheme in detecting VSR worms as well as traditional worms