2nd International ICST Conference on Scalable Information Systems

Research Article

Detecting Early Worm Propagation Based on Entropy

Download593 downloads
  • @INPROCEEDINGS{10.4108/infoscale.2007.192,
        author={Hanxun Zhou and Yingyou Wen and Hong Zhao},
        title={Detecting Early Worm Propagation Based on Entropy},
        proceedings={2nd International ICST Conference on Scalable Information Systems},
        proceedings_a={INFOSCALE},
        year={2010},
        month={5},
        keywords={network security worm worm detection entropy Chebyshev’s inequality.},
        doi={10.4108/infoscale.2007.192}
    }
    
  • Hanxun Zhou
    Yingyou Wen
    Hong Zhao
    Year: 2010
    Detecting Early Worm Propagation Based on Entropy
    INFOSCALE
    ICST
    DOI: 10.4108/infoscale.2007.192
Hanxun Zhou1,*, Yingyou Wen2,*, Hong Zhao2,*
  • 1: Dept. of Information Science and Engineering Northeastern University Shenyang, China
  • 2: Software Center Northeastern University Shenyang, China
*Contact email: zhouhx@neusoft.com, wenyy@neusoft.com, zhaoh@neusoft.com

Abstract

In this paper, we present a router-based system to identify worm attacks by computing entropy values of selected packet attributes. We first compute during a training phase a profile of entropy values of the selected packet attributes. Then Chebyshev’s inequality is utilized after the training phase to calculate the normal bound of entropy value with a low probability of a false positive. The detector compares new data against the bound and generates an alert when the new input exceeds the normal bound. The detection accuracy and performance are analyzed using live traffic traces. The results indicate that this approach can be effective against current worm attacks.