This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 13, NO. 5, OCTOBER 2005 961 The Monitoring and Early Detection of Internet Worms Cliff C. Zou , Member, IEEE , Weibo Gong , Fellow, IEEE , Don Towsley , Fellow, IEEE , and Lixin Gao , Member, IEEE Abstract After many Internet-scale worm incidents in re- cent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we need to build an early detection system that can detect the presence of a worm in the Internet as quickly as possible in order to give people accurate early warning information and possible reaction time for counteractions. This paper first presents an Internet worm monitoring system. Then, based on the idea of detecting the trend, not the burst of monitored illegitimate traffic, we present a trend detection methodology to detect a worm at its early propagation stage by using Kalman filter estimation, which is robust to background noise in the monitored data. In addition, for uniform-scan worms such as Code Red, we can effectively predict the overall vulnerable population size, and estimate accurately how many computers are really infected in the global Internet based on the biased monitored data. For monitoring a nonuniform scan worm, especially a sequential-scan worm such as Blaster, we show that it is crucial for the address space covered by the worm monitoring system to be as distributed as possible. Index Terms Computer network security, early detection, In- ternet worm, network monitoring. I. INTRODUCTION S INCE the Morris worm in 1988 , the security threat posed by worms has steadily increased, especially in the last several years. Code Red appeared on July 19, 2001 , which began the new wave of Internet-scale worm attacks. After that, Code Red II, Nimda, Slammer, Blaster, Sasser, and Witty have repeatedly attacked the Internet  and caused great damage to our society. Currently, some organizations and security companies, such as the CERT, CAIDA, and SANS Institute , , , are monitoring the Internet and paying close attention to any ab- normal traffic. When they observe abnormal network activi- ties, their security experts immediately analyze these incidents. Given the fast-spreading nature of Internet worms and their se- vere damage to our society, it is necessary to set up a nation- Manuscript received February 13, 2004; revised August 17, 2004; approved by IEEE/ACM TRANSACTIONS ON NETWORKING Editor V. Paxson. This work was supported in part by the Army Research Office under Contract DAAD19-01-1-0610, the Defense Advanced Research Projects Agency under Contract DOD F30602-00-0554, the National Science Foundation under Grants EIA-0080119, ANI9980552, and ANI-0208116, and the Air Force Research Laboratory....
View Full Document
- Spring '08