Share Email Print
cover

Proceedings Paper

Early detection of Internet worm activity by metering ICMP destination unreachable messages
Author(s): George Bakos; Vincent H. Berk
Format Member Price Non-Member Price
PDF $14.40 $18.00

Paper Abstract

Early warning of active worm propagation over the Internet is of vital importance to first responders. Knowing an active worms characteristics very early in its propagation can significantly reduce the damage it may cause. In this paper we propose an early warning system that uses ICMP Destination Unreachable (ICMP-T3) messages to identify the random scanning behavior of worms. Participating routers across the Internet send Blind Carbon Copies of all their locally generated ICMP-T3 messages to a central collection point. There all the incoming messages are compared for similarities. Incoming messages are abstracted and patterns identified. Using the methods discussed in this paper we identify 'blooms' of activity that are a clear signature of worm propagation. Preliminary test results have shown that actively spreading worms can be identified in the first few minutes after they are launched. By using the characteristics gathered in those early stages, action can be taken and widespread damage might be avoided.

Paper Details

Date Published: 14 August 2002
PDF: 10 pages
Proc. SPIE 4708, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Defense and Law Enforcement, (14 August 2002); doi: 10.1117/12.479290
Show Author Affiliations
George Bakos, Dartmouth College (United States)
Vincent H. Berk, Dartmouth College (United States)


Published in SPIE Proceedings Vol. 4708:
Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Defense and Law Enforcement
Edward M. Carapezza, Editor(s)

© SPIE. Terms of Use
Back to Top