About | Contact Us | Register | Login
ProceedingsSeriesJournalsSearchEAI
2nd International ICST Conference on Security and Privacy in Comunication Networks

Research Article

Effective Detection of Active Worms with Varying Scan Rate

Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1109/SECCOMW.2006.359549,
        author={Wei  Yu and Xun Wang and Dong Xuan  and David Lee},
        title={Effective Detection of Active Worms with Varying Scan Rate},
        proceedings={2nd International ICST Conference on Security and Privacy in Comunication Networks},
        publisher={IEEE},
        proceedings_a={SECURECOMM},
        year={2007},
        month={5},
        keywords={Worm attacks Varying scan rate Anomaly detection},
        doi={10.1109/SECCOMW.2006.359549}
    }
    
  • Wei Yu
    Xun Wang
    Dong Xuan
    David Lee
    Year: 2007
    Effective Detection of Active Worms with Varying Scan Rate
    SECURECOMM
    IEEE
    DOI: 10.1109/SECCOMW.2006.359549
Wei Yu1,*, Xun Wang2,*, Dong Xuan 2,*, David Lee2,*
  • 1: Department of Computer Science, Texas A&M University, College Station, TX 77843.
  • 2: Department of Computer Science and Engineering, The Ohio-State University, Columbus, OH 43210.
*Contact email: weiyu@cs.tamu.edu, wangxu@cse.ohio-state.edu, xuan@cse.ohio-state.edu, lee@cse.ohio-state.edu

Abstract

Active worms have been posing a major security threat to today's Internet. It is widely believed that active worms continue their evolutions. In this paper, we model a new form of active worms called varying scan rate worm (the VSR worm in short). The VSR worm deliberately varies its scan rate and is able to avoid being effectively detected by existing worm detection schemes. The emerging "Atak" worm belongs to this category of worms. To countermeasure the VSR worm, we design a new worm detection scheme called attack target distribution entropy based dynamic detection scheme (DEC detection in short). DEC detection utilizes the attack target distribution and its statistical entropy in conjunction with dynamic decision rules to distinguish worm scan traffic from non-worm scan traffic. We conduct extensive performance evaluations on the DEC detection scheme, using real-world traces as background scan traffic. Our data clearly demonstrates the effectiveness of the DEC detection scheme in detecting VSR worms as well as traditional worms

Keywords
Worm attacks Varying scan rate Anomaly detection
Published
2007-05-15
Publisher
IEEE
http://dx.doi.org/10.1109/SECCOMW.2006.359549
Copyright © 2006–2025 IEEE
EBSCOProQuestDBLPDOAJPortico
EAI Logo

About EAI

  • Who We Are
  • Leadership
  • Research Areas
  • Partners
  • Media Center

Community

  • Membership
  • Conference
  • Recognition
  • Sponsor Us

Publish with EAI

  • Publishing
  • Journals
  • Proceedings
  • Books
  • EUDL