Skip to main content
SpringerLink
Log in

Fast Detection of Scanning Worm Infections

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 3224))

Included in the following conference series:

Abstract

Worm detection and response systems must act quickly to identify and quarantine scanning worms, as when left unchecked such worms have been able to infect the majority of vulnerable hosts on the Internet in a matter of minutes [9]. We present a hybrid approach to detecting scanning worms that integrates significant improvements we have made to two existing techniques: sequential hypothesis testing and connection rate limiting. Our results show that this two-pronged approach successfully restricts the number of scans that a worm can complete, is highly effective, and has a low false alarm rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Bakos, G., Berk, V.: Early detection of internet worm activity by metering ICMP destination unreachable messages. In: Proceedings of the SPIE Aerosense (2002)

    Google Scholar 

  2. Berk, V., Bakos, G., Morris, R.: Designing a framework for active worm detection on global networks. In: Proceedings of the IEEE International Workshop on Information Assurance (March 2003)

    Google Scholar 

  3. Berk, V.H., Gray, R.S., Bakos, G.: Using sensor networks and data fusion for early detection of active worms. In: Proceedings of the SPIE Aerosense Conference (April 2003)

    Google Scholar 

  4. CERT. “Code Red II:” another worm exploiting buffer overflow in IIS indexing service DLL, http://tinyurl.com/2lzgb

  5. F-Secure. Computer virus information pages: Lovsan, http://tinyurl.com/ojd1

  6. F-Secure. Computer virus information pages: Mimail.J, http://tinyurl.com/3ybsp

  7. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy, May 9-12 (2004)

    Google Scholar 

  8. Kienzle, D.M., Elder, M.C.: Recent worms: a survey and trends. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, October 27, pp. 1–10. ACM Press, New York (2003)

    Chapter  Google Scholar 

  9. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Security and Privacy 1, 33–39 (2003)

    Google Scholar 

  10. Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of IEEE INFOCOM, April 1-3 (2003)

    Google Scholar 

  11. Network Associates Inc. Security threat report for W32/MydoomMM, http://tinyurl.com/2asgc

  12. Paxson, V.: Bro: A system for detecting network intruders in real-time, http://www.icir.org/vern/bro-info.html

  13. Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)

    Article  Google Scholar 

  14. Sidiroglou, S., Keromytis, A.D.: Countering network worms through automatic patch generation. Technical Report CUCS-029-03 (2003)

    Google Scholar 

  15. Sidiroglou, S., Keromytis, A.D.: A network worm vaccine architecture. In: Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security (June 2003)

    Google Scholar 

  16. Staniford, S.: Containment of scanning worms in enterprise networks. Journal of Computer Security (forthcoming)

    Google Scholar 

  17. Staniford, S., Hoagland, J., McAlerney, J.: Practical automated detection of stealthy portscans. Journal of Computer Security 10(1), 105–136 (2002)

    Google Scholar 

  18. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, August 7-9 (2002)

    Google Scholar 

  19. Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS – A graph-based intrusion detection system for large networks. In: Proceedings of the 19th National Information Systems Security Conference, October 1996, vol. 1, pp. 361–370 (1996)

    Google Scholar 

  20. Symantec. Security response – CodeRed II, http://tinyurl.com/89t0

  21. Symantec. Security response – W32.Novarg.Amm, http://tinyurl.com/2lv95

  22. Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium, August 4-8 (2003)

    Google Scholar 

  23. von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart (automatically) or how lazy cryptographers do AI. Technical Report CMUCS- 02-117 (February 2002)

    Google Scholar 

  24. Wald, A.: Sequential Analysis. J. Wiley & Sons, New York (1947)

    MATH  Google Scholar 

  25. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, October 27, pp. 11–18. ACM Press, New York (2003)

    Chapter  Google Scholar 

  26. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium, August 9-13 (2004)

    Google Scholar 

  27. Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of The 18th Annual Computer Security Applications Conference (ACSAC 2002), December 9-13 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Harvard DEAS, 33 Oxford Street, Cambridge, MA, 02138, USA

    Stuart E. Schechter

  2. MIT CSAIL, 32 Vassar Street, Cambridge, MA, 02139, USA

    Jaeyeon Jung & Arthur W. Berger

Authors
  1. Stuart E. Schechter
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jaeyeon Jung
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Arthur W. Berger
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Chalmers University of Technology, SE-412 96, Göteborg, Sweden

    Erland Jonsson  & Magnus Almgren  & 

  2. SRI International, 333 Ravenswood Ave., CA 94025, Menlo Park, USA

    Alfonso Valdes

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Schechter, S.E., Jung, J., Berger, A.W. (2004). Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-30143-1_4

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-23123-3

  • Online ISBN: 978-3-540-30143-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation