Abstract
A computer worm is a self-replicating malicious code that does not alter files but resides in active memory where it duplicates itself. Worms use parts of the operating system that are automatic and usually invisible to the user. Worms commonly exhibit abnormal behaviors, which become noticeable only when their uncontrolled replication consumes system resources and consequently decelerates or halts other tasks completely. This paper proposes an effective approach for detecting the presence of TCP network worms. This approach consists of two phases: Statistical Cross-relation for Network Scanning (SCANS) phase and the Worm Correlation phase. The SCANS phase is used to detect the presence of the network scanning behavior of a network worm, while the worm correlation phase is used to detect the Destination Source Correlation (DSC) behavior of the network worm. The proposed approach has been tested with a simulated dataset obtained from the GTNetS simulator. The numerical results showed that the proposed approach is efficient and outperforms the well-known DSC approach in terms of detecting the presence of TCP network worm.
Similar content being viewed by others
References
Xu W, Zhang F, Zhu S (2010) Toward worm detection in online social networks. In: Proceedings of the 26th annual computer security applications conference, ACM, pp 11–20
Li P, Salour M, Su X (2008) A survey of internet worm detection and containment. IEEE Commun Surv Tutor 10(1):20–35
Paul S, Mishra BK (2014) Survey of polymorphic worm signatures. Int J U E Service Sci Technol 7(3):129–150
Jiang D, Xu Z, Zhang P, Zhu T (2014) A transform domain-based anomaly detection approach to network-wide traffic. J Netw Comput Appl 40:292–306
Jiang D, Yao C, Xu Z, Qin W (2015) Multi-scale anomaly detection for high-speed network traffic. Trans Emerg Telecommun Technol 26(3):308–317
Wang Y, Wen S, Xiang Y, Zhou W (2014) Modeling the propagation of worms in networks: a survey. IEEE Commun Surv Tutor 16(2):942–960
Yang W, Gao Y-P, Zhu Z-L, Chang G-R, Yao Y (2014) Modelling, analysis and containment of passive worms in p2p networks. Int J Internet Protoc Technol 8(2):130–142
Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) Inside the slammer worm. IEEE Secur Priv 1(4):33–39
Collins MP, Reiter MK (2007) Hit-list worm detection and bot identification in large networks using protocol graphs. In: Proceedings of the 10th international conference on recent advances in intrusion detection, RAID’07, Springer, Berlin, pp 276–295. http://dl.acm.org/citation.cfm?id=1776434.1776456
Jung J, Milito RA, Paxson V (2007) On the adaptive real-time detection of fast-propagating network worms. In: Detection of intrusions and malware, and vulnerability assessment, Springer, Berlin, pp 175–192
Schechter SE, Jung J, Berger AW (2004) Fast detection of scanning worm infections. In: Recent advances in intrusion detection. Springer, Berlin, pp 59–81
Sekar V, Xie Y, Reiter M, Zhang H (2006) A multi-resolution approach for worm detection and containment. In: International conference on Dependable systems and networks, DSN 2006, pp 189–198
Gu G, Sharif M, Qin X, Dagon D, Lee W, Riley G (2004) Worm detection, early warning and response based on local victim information. In: Computer security applications conference, 2004. 20th Annual, IEEE, pp 136–145
Anbar M, Manasrah A, Manickam S (2012) Statistical cross-relation approach for detecting tcp and udp random and sequential network scanning (scans). Int J Comput Math 89(15):1952–1969
Riley GF (2003) Simulation of large scale networks II: large-scale network simulations with gtnets. In: Proceedings of the 35th conference on winter simulation: driving innovation, Winter Simulation Conference, pp 676–684
Stafford S, Li J (2010) Behavior-based worm detectors compared. In: Recent advances in intrusion detection. Springer, Berlin, pp 38–57
Cohen F (1992) A formal definition of computer worms and some related results. Comput Secur 11(7):641–652
Berk V, Bakos G, Morris R (2003) Designing a framework for active worm detection on global networks. In: Information assurance, IWIAS 2003. Proceedings First IEEE international workshop on IEEE, pp 13–23
Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Security and privacy, 2004. Proceedings 2004 IEEE Symposium on IEEE, pp 211–225
Zou CC, Gong W, Towsley D (2002) Code red worm propagation modeling and analysis. In: Proceedings of the 9th ACM conference on computer and communications security, ACM, pp 138–147
Chen Z, Gao L, Kwiaty K (2003) Modeling the spread of active worms. In: INFOCOM 2003. Twenty-second annual joint conference of the IEEE computer and communications. IEEE Societies, vol 3, IEEE, pp 1890–1900
Yiquan K (2012) Network worm simulated experimental design and implementation based on gtnets. Comput Digit Eng 3:027
Jiao J, Chen X (2012) Wssl: A worm spreading simulation language. J Beijing Inform Sci Technol Uni 6:004
Zheng H, Li-Fa W (2010) Worm detection system based on positive selection. J Softw 4:022
Osareh A, Shadgar B (2008) Intrusion detection in computer networks based on machine learning algorithms. Int J Comput Sci Netw Secur (IJCSNS) 8(11):15–23
Lawrence I, Lin K (1989) A concordance correlation coefficient to evaluate reproducibility. Biometrics 45(1):255–268
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Anbar, M., Abdullah, R., Munther, A. et al. NADTW: new approach for detecting TCP worm. Neural Comput & Applic 28 (Suppl 1), 525–538 (2017). https://doi.org/10.1007/s00521-016-2358-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00521-016-2358-9