Abstract
From the introduction of CodeRed and Slammer worms, it has been learned that the early detection of worm epidemics is important in order to reduce the damage resulting from outbreaks. A prominent characteristic of Internet worms is the random selection of subsequent targets. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses in network traffic. The proposed mechanism constructs a matrix from network traffic and checks the rank of the matrix in order to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high rank value, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the matrix. From experiments on various environments, it is demonstrated that the ADUR mechanism effectively detects the spread of new worms in the early stages, even when there is only a single host infected in a monitoring network. Also, we show that ADUR is highly sensitive so that the worm epidemic can be detectable quickly, e.g., three times earlier than the infection of 90 vulnerable hosts.
| Original language | English |
|---|---|
| Pages (from-to) | 894-903 |
| Number of pages | 10 |
| Journal | IEICE Transactions on Communications |
| Volume | E90-B |
| Issue number | 4 |
| DOIs | |
| Publication status | Published - 2007 Apr |
Keywords
- Early detection
- Internet worm
- Randomness
- Rank
- Traffic matrix
ASJC Scopus subject areas
- Software
- Computer Networks and Communications
- Electrical and Electronic Engineering