Abstract
The spread of the worm causes great harm to the computer network. It has recently become the focus of the network security research. This paper presents a local-worm detection algorithm by analyzing the characteristics of traffic generated by the TCP-based worm. Moreover, we adjust the worm location algorithm, aiming at the differences between the high-speed and the low-speed worm scanning methods. This adjustment can make the location algorithm detect and locate the worm based on different scanning rate. Finally, we verified the validity and efficiency of the proposed algorithm by simulating it under NS-2.
Similar content being viewed by others
References
Weaver N, Paxson V, Staniford S, et al. A taxonomy of computer worms. In: Proceedings of the 2003 ACM workshop on Rapid Malcode (WORM’03). NY USA: ACM Press, 2003. 11–18
Seeley D. A tour of the worm. In: USENINX Association Winter Conference 1989 Proceedings.1989. 287–304
Moore D, Shannon C, Brown J. Code-Red: a case study on the spread and victims of an Internet worm. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement. NY USA: ACM Press, 2002. 273–284
Moore D, Paxson V, Savage S, et al. The spread of the Sapphire/Slammer worm. http://www.cs.berkeley.edu/~nweaver/sapphire/
CERT. CERT/CC advisories. http://www.cert.org/advisories/
Shannon C, Moore D. The spread of the witty worm. http://www.caida.org/outreach/papers/2004/witty/
WORM_NORTINA.A, http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NORTINA.A
WORM_SOBER.U, http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBER.U
WORM_ZOTOB.A, http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_ZOTOB.A
Gu G F, Sharif M, Qin X Z, et al. Worm detection, early warning and response based on local victim information. In: Proceedings of the 20th Annual Computer Security Applications Conference (ACSAC’04). Los Alamitos USA: IEEE Computer Society, 2004. 136–145
Lai S C, Kuo W C, Hsieh M C. Defending against Internet worm-like infestations. In: Proceedings of the 18th International Conference on Advanced Information Networking and Applications (AINA 2004). Los Alamitos USA: IEEE Computer Society, 2004. 152–157
Kim H, Kang I, Bahk S. Real-time visualization of network attacks on high-speed links. Network, IEEE, 2004,18(5): 30–39
Berk V, Bakos G, Morris R. Designing a framework for active worm detection on global networks. In: Proceedings of the First IEEE International Workshop on Information Assurance (IWIA’03). Los Alamitos USA: IEEE Computer Society, 2003. 13–23
Zou C C, Gong W B, Towsley D, et al. The Monitoring and Early Detection of Internet Worms. http://citeseer.ist.psu.edu/711538.html
Wu J, Vangala S, Gao L, et al. An efficient architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the Network and Distributed System Security Symposium (NDSS 2004). Washington DC: The Internet Society, 2004
Yang X Y, Zeng M, Zhao R, et al. A novel LMS method for real-time network Traffic Prediction. In: Computational Science and Its Applications-ICCSA 2004. Heidelberg, Berlin: Springer, 2004. 127–136
Shi Y, Yang X Y, Zhu H J. A flooding-based DoS/DDoS detecting algorithm based on traffic measurement and prediction. In: Advances in Information and Computer Security, 4266/2006. Heidelberg, Berlin: Springer, 2006. 252–267
Yang X Y, Liu Y, Zeng M, et al. A novel DDoS attack detecting algorithm based on the continuous wavelet transform. Lecture Notes in Computer Science, 2004, 3309: 173–181
Tang Y J, Luo X P, Yang Z J. Fault detection through multi-fractal nature of traffic. In: Communications, Circuits and Systems and West Sino Expositions, IEEE 2002 International Conference on, Volume 1. 2002. 695–699
Kim M S, Kong H J, Hong S C, et al. A flow-based method for abnormal network traffic detection. In: Network Operations and Management Symposium. NOMS 2004. IEEE/IFIP Volume 1, 2004. 599–612
Stevens W R. TCP/IP Illustrated Volume 1: The Protocols (in Chinese). Beijing: China Machine Press, 2004
Antonatos S, Akritidis P, Markatos E P, et al. Defending against Hitlist worms using network address space randomization. In: Proceedings of the 2005 ACM workshop on Rapid malcode (WORM’05). NY USA: ACM Press, 2005. 30–40
Net worm using Google to spread, http://news.com.com/Net+worm+using+Google+to+spread/2100-7349_3-5499725.html?tag=nl
“eDonkey2000”, http://www.edonkey2000.com/
“BitTorrent”, http://www.bittorrent.com/
Wang H N, Zhang D L, Shin K G. Change-point monitoring for the detection of DoS attacks. Dependable and Secure Computing, IEEE Trans Depend Secure Comp, 2004, 1(4): 193–208
Peng T, Leckie C, Ramamohanarao K. Detecting reflector attacks by sharing beliefs. In: Global Telecommunications Conference (GLOBECOM’03), IEEE Volume 3, San Francisco. 2003. 1358–1362
Author information
Authors and Affiliations
Corresponding author
Additional information
Supported in part by the National Natural Science Foundation of China (Grant No. 60403028)
Rights and permissions
About this article
Cite this article
Yang, X., Shi, Y. & Zhu, H. Detection and location algorithm against local-worm. Sci. China Ser. F-Inf. Sci. 51, 1935–1946 (2008). https://doi.org/10.1007/s11432-008-0132-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-008-0132-z