2006
DOI: 10.3233/jcs-2006-14403
|View full text |Cite
|
Sign up to set email alerts
|

Effective worm detection for various scan techniques

Abstract: Abstract-In recent years, the threats and damages caused by active worms have become more and more serious. In order to reduce the loss caused by fastspreading active worms, an effective detection mechanism to quickly detect worms is desired. In this paper, we first explore various scan strategies used by worms on finding vulnerable hosts. We show that targeted worms spread much faster than random scan worms. We then present a generic worm detection architecture to monitor malicious worm activities. We propose… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
17
0

Year Published

2010
2010
2021
2021

Publication Types

Select...
4
3
1

Relationship

0
8

Authors

Journals

citations
Cited by 18 publications
(17 citation statements)
references
References 13 publications
0
17
0
Order By: Relevance
“…We denote each as U1 through U5 (user applications), W1 through W5 (worms), and M1 through M5 (updates or daemons). We include 5 Windows-based worms of representative samples based on their scanning strategy [16], [28] as shown in Table 3. However we cannot exploit Linux worm because it's not working on Windows system.…”
Section: Experimental Settingmentioning
confidence: 99%
See 1 more Smart Citation
“…We denote each as U1 through U5 (user applications), W1 through W5 (worms), and M1 through M5 (updates or daemons). We include 5 Windows-based worms of representative samples based on their scanning strategy [16], [28] as shown in Table 3. However we cannot exploit Linux worm because it's not working on Windows system.…”
Section: Experimental Settingmentioning
confidence: 99%
“…EarlyBird system [15] automatically generates potential worm signatures by inspecting traffic patterns and relationships between sources and destinations addresses. Xia et al [16] demonstrated how to detect worms by analyzing packets with unused destination addresses.…”
Section: Introductionmentioning
confidence: 99%
“…Relies only on ARP activity; does not correlate ARP requests and replies; [24] History based IP worm detection Source addresses of connection requests are unlikely to have been seen at the network previously; [25] Victim Number based approach Random scanning techniques used by worms induce a large number of packets to inactive addresses or inactive services…”
Section: Scanning and Infection Patternmentioning
confidence: 99%
“…, F m , where F i is given to host i ∈ M. If each of F i is an ordered subset of F, we call this arrangement a block-split. In the context of the Internet, a pre-permutation scanner [4], [25] first applies partitioning g 2 to F and then permutes each F i using some algorithm g 1 to produce the final assignment [3], [8], [18], [19], [20], [28], [42], [44] first applies permutation g 1 to F and then partitions list…”
Section: B Scan Patternsmentioning
confidence: 99%