Detecting Unknown Worms Using Randomness Check

Hyundo Park, Heejo Lee, Hyogon Kim

Research output: Contribution to journalArticle

5 Citations (Scopus)

Abstract

From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90 vulnerable hosts.

Original languageEnglish
Pages (from-to)894-903
Number of pages10
JournalIEICE Transactions on Communications
VolumeE90-B
Issue number4
DOIs
Publication statusPublished - 2007 Apr 1

Fingerprint

Internet
Monitoring
Experiments

Keywords

  • Early detection
  • Internet worm
  • Randomness
  • Rank
  • Traffic matrix

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • Computer Networks and Communications

Cite this

Detecting Unknown Worms Using Randomness Check. / Park, Hyundo; Lee, Heejo; Kim, Hyogon.

In: IEICE Transactions on Communications, Vol. E90-B, No. 4, 01.04.2007, p. 894-903.

Research output: Contribution to journalArticle

@article{5e2c3f10405b430ca8e32c3d45490357,
title = "Detecting Unknown Worms Using Randomness Check",
abstract = "From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90 vulnerable hosts.",
keywords = "Early detection, Internet worm, Randomness, Rank, Traffic matrix",
author = "Hyundo Park and Heejo Lee and Hyogon Kim",
year = "2007",
month = "4",
day = "1",
doi = "10.1093/ietcom/e90-b.4.894",
language = "English",
volume = "E90-B",
pages = "894--903",
journal = "IEICE Transactions on Communications",
issn = "0916-8516",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "4",

}

TY - JOUR

T1 - Detecting Unknown Worms Using Randomness Check

AU - Park, Hyundo

AU - Lee, Heejo

AU - Kim, Hyogon

PY - 2007/4/1

Y1 - 2007/4/1

N2 - From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90 vulnerable hosts.

AB - From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90 vulnerable hosts.

KW - Early detection

KW - Internet worm

KW - Randomness

KW - Rank

KW - Traffic matrix

UR - http://www.scopus.com/inward/record.url?scp=34247139791&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34247139791&partnerID=8YFLogxK

U2 - 10.1093/ietcom/e90-b.4.894

DO - 10.1093/ietcom/e90-b.4.894

M3 - Article

AN - SCOPUS:34247139791

VL - E90-B

SP - 894

EP - 903

JO - IEICE Transactions on Communications

JF - IEICE Transactions on Communications

SN - 0916-8516

IS - 4

ER -