Share Email Print
cover

Proceedings Paper

Using sensor networks and data fusion for early detection of active worms
Author(s): Vincent H. Berk; Robert S. Gray; George Bakos
Format Member Price Non-Member Price
PDF $14.40 $18.00

Paper Abstract

Identification of an Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identified until it already has spread to most of the Internet, eliminating many defensive options. In this paper, we present an automated system that can identify active worms seconds or minutes after they first begin to spread, a necessary precursor to halting the spread of a worm, rather than simply cleaning up afterward. Our implemented system collects ICMP Unreachable messages from instrumented network routers, identifies those patterns of unreachable messages that indicate malicious scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we examine the problem of active worms, describe our ICMP-based detection system, and present simulation results that illustrate the speed with which it can detect a worm.

Paper Details

Date Published: 22 September 2003
PDF: 13 pages
Proc. SPIE 5071, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Defense and Law Enforcement II, (22 September 2003); doi: 10.1117/12.500849
Show Author Affiliations
Vincent H. Berk, Dartmouth College (United States)
Robert S. Gray, Dartmouth College (United States)
George Bakos, Dartmouth College (United States)


Published in SPIE Proceedings Vol. 5071:
Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Defense and Law Enforcement II
Edward M. Carapezza, Editor(s)

© SPIE. Terms of Use
Back to Top