|
|
For Full-Text PDF, please login, if you are a member of IEICE,
or go to Pay Per View on menu list, if you are a nonmember of IEICE.
|
Detecting Unknown Worms Using Randomness Check
Hyundo PARK
Heejo LEE
Hyogon KIM
Publication
IEICE TRANSACTIONS on Communications
Vol.E90-B
No.4
pp.894-903
Publication Date: 2007/04/01
Online ISSN: 1745-1345
DOI: 10.1093/ietcom/e90-b.4.894
Print ISSN: 0916-8516
Type of Manuscript: PAPER
Category: Internet
Keyword:
Internet worm, early detection, randomness, traffic matrix, rank,
Full Text: PDF(878.2KB)>>
Summary:
From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90% vulnerable hosts.
|
|
|
|
