FDF: Frequency detection-based filtering of scanning worms

Byungseung Kim; Hyogon Kim; Saewoong Bahk

doi:10.1016/j.comcom.2008.12.010

FDF: Frequency detection-based filtering of scanning worms

Byungseung Kim, Hyogon Kim, Saewoong Bahk

Department of Computer Science and Engineering

Research output: Contribution to journal › Article › peer-review

4 Citations (Scopus)

Abstract

In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms instead of counting the number of suspicious connections or packets from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real-time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate.

Original language	English
Pages (from-to)	847-857
Number of pages	11
Journal	Computer Communications
Volume	32
Issue number	5
DOIs	https://doi.org/10.1016/j.comcom.2008.12.010
Publication status	Published - 2009 Mar 27

Keywords

Autocorrelation
Frequency characteristic
Intrusion detection system
Scanning worm

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1016/j.comcom.2008.12.010

Cite this

@article{43cf7494734a4903a648794636c8c499,

title = "FDF: Frequency detection-based filtering of scanning worms",

abstract = "In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms instead of counting the number of suspicious connections or packets from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real-time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate.",

keywords = "Autocorrelation, Frequency characteristic, Intrusion detection system, Scanning worm",

author = "Byungseung Kim and Hyogon Kim and Saewoong Bahk",

note = "Funding Information: This work was supported in part by the IT R&D program of MKE/IITA [2008-F-034-01, Development of Security-Quality Guarantee Technology in Resilient Networks] and Foundation of ubiquitous computing and networking (UCN) Project, the Ministry of Knowledge Economy (MKE) 21st Century Frontier R&D Program in Korea.",

year = "2009",

month = mar,

day = "27",

doi = "10.1016/j.comcom.2008.12.010",

language = "English",

volume = "32",

pages = "847--857",

journal = "Computer Communications",

issn = "0140-3664",

publisher = "Elsevier",

number = "5",

}

TY - JOUR

T1 - FDF

T2 - Frequency detection-based filtering of scanning worms

AU - Kim, Byungseung

AU - Kim, Hyogon

AU - Bahk, Saewoong

N1 - Funding Information: This work was supported in part by the IT R&D program of MKE/IITA [2008-F-034-01, Development of Security-Quality Guarantee Technology in Resilient Networks] and Foundation of ubiquitous computing and networking (UCN) Project, the Ministry of Knowledge Economy (MKE) 21st Century Frontier R&D Program in Korea.

PY - 2009/3/27

Y1 - 2009/3/27

N2 - In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms instead of counting the number of suspicious connections or packets from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real-time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate.

AB - In this paper, we propose a simple algorithm for detecting scanning worms with high detection rate and low false positive rate. The novelty of our algorithm is inspecting the frequency characteristic of scanning worms instead of counting the number of suspicious connections or packets from a monitored network. Its low complexity allows it to be used on any network-based intrusion detection system as a real-time detection module for high-speed networks. Our algorithm need not be adjusted to network status because its parameters depend on application types, which are generally and widely used in any networks such as web and P2P services. By using real traces, we evaluate the performance of our algorithm and compare it with that of SNORT. The results confirm that our algorithm outperforms SNORT with respect to detection rate and false positive rate.

KW - Autocorrelation

KW - Frequency characteristic

KW - Intrusion detection system

KW - Scanning worm

UR - http://www.scopus.com/inward/record.url?scp=61349143044&partnerID=8YFLogxK

U2 - 10.1016/j.comcom.2008.12.010

DO - 10.1016/j.comcom.2008.12.010

M3 - Article

AN - SCOPUS:61349143044

SN - 0140-3664

VL - 32

SP - 847

EP - 857

JO - Computer Communications

JF - Computer Communications

IS - 5

ER -

FDF: Frequency detection-based filtering of scanning worms

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this