Detecting Unknown Worms Using Randomness Check

Hyundo Park, Heejo Lee, Hyogon Kim

Research output: Contribution to journalArticle

5 Citations (Scopus)

Abstract

From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90 vulnerable hosts.

Original languageEnglish
Pages (from-to)894-903
Number of pages10
JournalIEICE Transactions on Communications
VolumeE90-B
Issue number4
DOIs
Publication statusPublished - 2007 Apr

Keywords

  • Early detection
  • Internet worm
  • Randomness
  • Rank
  • Traffic matrix

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Fingerprint Dive into the research topics of 'Detecting Unknown Worms Using Randomness Check'. Together they form a unique fingerprint.

Cite this