Browse > Article
http://dx.doi.org/10.13089/JKIISC.2007.17.1.57

Detection Algorithm of Scanning worms using network traffic characteristics  

Kim, Jae-Hyun (School of Electrical and Computer Engineering, Ajou University)
Kang, Shin-Hun (School of Electrical and Computer Engineering, Ajou University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.17, no.1, 2007 , pp. 57-66 More about this Journal
Abstract
Scanning worms increase network traffic load because they randomly scan network addresses to find hosts that are susceptible to infection. Since propagation speed is faster than human reaction, scanning worms cause severe network congestion. So we need to build an early detection system which can automatically detect and quarantine such attacks. We propose algorithms to detect scanning worms using network traffic characteristics such as variance, variance to mean ratio(VMR) and correlation coefficient. The proposed algorithm have been verified by computer simulation. Compared to existing algorithm, the proposed algorithm not only reduced computational complexity but also improved detection accuracy.
Keywords
scanning worm; worm detection; traffic characteristics;
Citations & Related Records
연도 인용수 순위
  • Reference
1 W32.Blaster.Worm, http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
2 D. Moore, C. Shannon, and J.Brown, 'Code-Red: a case study on the spread and victims of an Internet worm,' in Proc. Second Internet Measurement Workshop, pp. 273-284, November, 2002
3 S. Noh, C. Lee, K. Ryu, K. Choi, and G. Jung, 'Detecting Worm Propagation Using Traffic Concentration Analysis and Inductive Learning,' Lecture Notes in Computer Science, 3177(1), pp. 402-408, 2004
4 H. Kim, I. Kang, and S. Bahk, 'Real-Time Visualization of Network Attacks on High-Speed Links,' IEEE Network, pp. 30-39, Sept/Oct 2004
5 B. Roh and S. Yoo, 'A Novel Detection Methodology of Network Attack Symptoms at Aggregate Traffic Level on Highspeed Internet Backbone Links,' Lecture Notes in Computer Science, 3124, pp. 1226-1235, August, 2004
6 C. Shannon and D. Moore, 'The Spread of the Witty Worm,' IEEE Security & Privacy, pp. 46-50, July/August 2004
7 C. Zou, W. Gong, D. Towsley, and L. Gao, 'The Monitoring and Early Detection of Internet Worms,' in Proc. 10th ACM conference on Computer and communication security, pp. 190-199, 2003
8 M. Kim, H. Kang, S. Hong, S. Chung, and W. Hong, 'A Flow-based Method for Abnormal Network Traffic Detection,' in Proc. IEEE/IFIP NOMS 2004, pp. 599-612, April 2004
9 김재현, 강신헌, '스캐닝 웜의 트래픽 특성을 이용한 탐지 방법,' in Proc. 제 18회 정보보호와 암호에 관한 학술대회, 천안, pp.71-82, 2006년 9월
10 D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, 'Inside the Slammer Worm,' IEEE Security & Privacy, pp. 33-39, July/August 2003