Successful worm detection at real-time OC-48 and OC-192 speed requires hardware to extract web based binary sequences at faster than these speeds, and software to process the incoming sequences to identify worms. Computer hardware advancement in the form of field programmable gate arrays (FPGAs) makes real-time extraction of these sequences possible. Lacking are mathematical algorithms for worm detection in the real time data sequence, and the ability to convert these algorithms into lookup tables (LUTs) that can be compiled into FPGAs. Data Modeling provides the theory and algorithms for an effective mathematical framework for real-time worm detection and conversion of algorithms into LUTs. Detection methods currently available such as pattern recognition algorithms are limited both by the amount of time to compare the current data sequence with a historical database of potential candidates, and by the inability to accurately classify information that was unseen in the training process. Data Modeling eliminates these limitations by training only on examples of nominal behavior. This results in a highly tuned and fast running equation model that is compiled in a FPGA as a LUT and used at real-time OC-48 and OC-192 speeds to detect worms and other anomalies. This paper provides an overview of our approach for generating these Data Change Models for detecting worms, and their subsequent conversion into LUTs. A proof of concept is given using binary data from a WEBDAV, SLAMMER packet, and RED PROBE attack, with BASIC source code for the detector and LUT provided.

Date Published: 28 March 2005
PDF: 9 pages
Proc. SPIE 5812, Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2005, (28 March 2005); doi: 10.1117/12.603367

Published in SPIE Proceedings Vol. 5812:
Data Mining, Intrusion Detection, Information Assurance, and Data Networks Security 2005
Belur V. Dasarathy, Editor(s)