Browse > Article

Scanning Worm Detection Algorithm Using Network Traffic Analysis  

Kang, Shin-Hun (아주대학교 전자공학과)
Kim, Jae-Hyun (아주대학교 전자공학과)
Publication Information
Journal of KIISE:Information Networking / v.35, no.6, 2008 , pp. 474-481 More about this Journal
Abstract
Scanning worm increases network traffic load and result in severe network congestion because it is a self-replicating worm and send copies of itself to a number of hosts through the Internet. So an early detection system which can automatically detect scanning worms is needed to protect network from those attacks. Although many studies are conducted to detect scanning worms, most of them are focusing on the method using packet header information. The method using packet header information has long detection delay since it must examine the header information of all packets entering or leaving the network. Therefore we propose an algorithm to detect scanning worms using network traffic characteristics such as variance of traffic volume, differentiated traffic volume, mean of differentiated traffic volume, and product of mean traffic volume and mean of differentiated traffic volume. We verified the proposed algorithm by analyzing the normal traffic captured in the real network and the worm traffic generated by simulator. The proposed algorithm can detect CodeRed and Slammer which are not detected by existing algorithm. In addition, all worms were detected in early stage: Slammer was detected in 4 seconds and CodeRed and Witty were detected in 11 seconds.
Keywords
Scanning worm; Traffic characteristics; Detection algorithm; Network security;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A Taxonomy of Computer Worms," in Proc. ACM workshop on rapid malcode, 2003, pp. 11-18
2 H. Kim, I. Kang, and S. Bahk, "Real-Time Visualization of Network Attacks on High-Speed Links," IEEE Network, pp. 30-39, Sep./Oct. 2004
3 C. Zou, W. Gong, D. Towsley, and L. Gao, "The Monitoring and Early Detection of Internet Worms," in Proc. 10th ACM conference on Computer and communication security, 2003, pp. 190-199
4 B. Roh and S. Yoo, "A Novel Detection Methodology of Network Attack Symptoms at Aggregate Traffic Level on Highspeed Internet Backbone Links," Lecture Notes in Computer Science, 3124, pp. 1226-1235, Aug. 2004
5 "MAWI Working Group Traffic Archive," [Online]. Available: http://tracer.csl.sony.co.jp/mawi/
6 C. Shannon and D. Moore, "The Spread of the Witty Worm," IEEE Security & Privacy, pp. 46-50, Jul./Aug. 2004
7 김재현, 강신헌, "네트워크 트래픽 특성을 이용한 스캐닝 웜 탐지기법", 한국정보보호학회논문지, 제 17권, 제 1호, pp. 57-66, 2007년 2월   과학기술학회마을
8 S. Noh, C. Lee, K. Ryu, K. Choi, and G. Jung, "Detecting Worm Propagation Using Traffic Concentration Analysis and Inductive Learning," Lecture Notes in Computer Science, 3177(1), pp. 402-408, 2004
9 D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer Worm," IEEE Security & Privacy, pp. 33-39, Jul./Aug. 2003
10 M. Kim, H. Kang, S. Hong, S. Chung, and W. Hong, "A Flow-based Method for Abnormal Network Traffic Detection," in Proc. IEEE/IFIP NOMS, 2004, pp. 599-612
11 D. Moore, C. Shannon, and J.Brown, "Code-Red: a case study on the spread and victims of an Internet worm," in Proc. Second Internet Measurement Workshop, 2002, pp. 273-284
12 "W32.Blaster.Worm," [Online]. Available: http://secu rityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
13 D.M. Kienzie and M.C. Elder, "Recent Worms: A Survey and Trends," in Proc. ACM workshop on rapid malcode, 2003, pp. 1-10
14 C. C. Zou, W. Gong, and D. Towsley, "Code Red Worm Propagation Modeling and Analysis," in Proc. 9th ACM Conference on Computer and Communications Security, 2002, pp. 138-147
15 K. Wang, G. Cretu, and S. Stolfo, "Anomalous Payload-Based Worm Detection and Signature Generation," Lecture Notes in Computer Science, 3858, pp. 227-246, 2006