Detecting Early Worm Propagation Based on Entropy

Hanxun Zhou; Yingyou Wen; Hong Zhao

2nd International ICST Conference on Scalable Information Systems

Research Article

Detecting Early Worm Propagation Based on Entropy

Download513 downloads

Cite: BibTeX Plain Text

@INPROCEEDINGS{10.4108/infoscale.2007.192,
    author={Hanxun Zhou and Yingyou Wen and Hong Zhao},
    title={Detecting Early Worm Propagation Based on Entropy},
    proceedings={2nd International ICST Conference on Scalable Information Systems},
    proceedings_a={INFOSCALE},
    year={2010},
    month={5},
    keywords={network security worm worm detection entropy Chebyshev’s inequality.},
    doi={10.4108/infoscale.2007.192}
}

Hanxun Zhou
Yingyou Wen
Hong Zhao
Year: 2010
Detecting Early Worm Propagation Based on Entropy
INFOSCALE
ICST
DOI: 10.4108/infoscale.2007.192

Hanxun Zhou¹^,*, Yingyou Wen²^,*, Hong Zhao²^,*

1: Dept. of Information Science and Engineering Northeastern University Shenyang, China
2: Software Center Northeastern University Shenyang, China

*Contact email: zhouhx@neusoft.com, wenyy@neusoft.com, zhaoh@neusoft.com

Abstract

In this paper, we present a router-based system to identify worm attacks by computing entropy values of selected packet attributes. We first compute during a training phase a profile of entropy values of the selected packet attributes. Then Chebyshev’s inequality is utilized after the training phase to calculate the normal bound of entropy value with a low probability of a false positive. The detector compares new data against the bound and generates an alert when the new input exceeds the normal bound. The detection accuracy and performance are analyzed using live traffic traces. The results indicate that this approach can be effective against current worm attacks.

Keywords: network security worm worm detection entropy Chebyshev’s inequality.

Published: 2010-05-16
Modified: 2011-09-11

: http://dx.doi.org/10.4108/infoscale.2007.192