Share Email Print
cover

Proceedings Paper

Rapid detection of worms using ICMP-T3 analysis
Format Member Price Non-Member Price
PDF $14.40 $18.00

Paper Abstract

Identification of an active Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identified until it already has spread to most of the Internet, eliminating many defensive options. In previous work, we developed an automated system that can identify active worms seconds or minutes after they first begin to spread, a necessary precursor to halting the spread of the worm rather than simply cleaning up afterward. The system collects ICMP Destination Unreachable messages from instrumented network routers, identifies those patterns of unreachable messages that indicate malicious scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we compare the performance of two different detection strategies, our previous threshold approach and a new line-fit approach, for different worm-propagation techniques, noise environments, and system parameters. These techniques work for worms that generate at least some of their target addresses through a random process, a feature of most recent worms. Although both being powerful methods for fast worm identification, the new line-fit approach proves to be significantly more noise resistant.

Paper Details

Date Published: 15 September 2004
PDF: 13 pages
Proc. SPIE 5403, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense III, (15 September 2004); doi: 10.1117/12.548171
Show Author Affiliations
Robert S. Gray, Dartmouth College (United States)
Vincent H. Berk, Dartmouth College (United States)


Published in SPIE Proceedings Vol. 5403:
Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense III
Edward M. Carapezza, Editor(s)

© SPIE. Terms of Use
Back to Top