Monitoring and Early Detection for Internet Worms (0)
Cached
Download Links
| Venue: | IEEE/ACM Transactions on Networking |
| Citations: | 66 - 2 self |
BibTeX
@ARTICLE{Zou_monitoringand,
author = {Cliff C. Zou and Weibo Gong and Don Towsley and Lixin Gao},
title = {Monitoring and Early Detection for Internet Worms},
journal = {IEEE/ACM Transactions on Networking},
year = {},
volume = {13},
pages = {961--974}
}
Share
 |
 |
 |
 |
||
OpenURL
Abstract
After several Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we must build an early detection system to detect the presence of a worm as quickly as possible in order to give people enough time for counteractions. In this paper, we first present an Internet worm monitoring system. Then based on the idea of "detecting the trend, not the burst" of monitored illegitimate traffic, we present a non-threshold based "trend detection" methodology to detect a worm at its early stage by using Kalman filter estimation. In addition, for uniform scan worms such as Code Red and Slammer, we can effectively predict the overall vulnerable population size, and estimate accurately how many computers are really infected in the global Internet based on the biased monitored data. For monitoring of non-uniform scan worms such as Blaster, we show that the address space covered by a monitoring system should be as distributed as possible.
Keyphrases
early detection internet worm overall vulnerable population size great security threat simple self-propagating worm non-uniform scan worm internet worm monitoring system global internet uniform scan worm monitoring system many computer kalman filter estimation monitored illegitimate traffic several internet-scale worm incident code red early stage address space severe damage recent year trend detection methodology early detection system people enough time
