Enhancing SWORD to Detect Zero-Day-Worm-Infected Hosts

Stafford, Shad; Li, Jun; Ehrenkranz, Toby

doi:10.1177/0037549707080753

Cited by 5 publications

(3 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the related works, we mention that enabling a detection algorithm to execute in real-time usually exploits sliding windows [4,17]. The Accumulation Algorithm is able to promptly obtain the detection results and thus provides an ameliorate condition for online tracing.…”

Section: Online Accumulation Algorithmmentioning

confidence: 99%

Online Accumulation: Reconstruction of Worm Propagation Path

Xiang

Guo

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Knowledge of the worm origin is necessary to forensic analysis, and knowledge of the initial causal flows supports diagnosis of how network defenses were breached. Fast and accurate online tracing network worm during its propagation, help to detect worm origin and the earliest infected nodes, and is essential for large-scale worm containment. This paper introduces the Accumulation Algorithm which can eAEciently tracing worm origin and the initial propagation paths, and presents an improved online Accumulation Algorithm using sliding detection windows. We also analyzes and verifies their detection accuracy and containment eAEcacy through simulation experiments in large scale network. Results indicate that the online Accumulation Algorithm can accurately tracing worms and eAEciently containing their propagation in an approximately real-time manner.

show abstract

Section: Online Accumulation Algorithmmentioning

confidence: 99%

Online Accumulation: Reconstruction of Worm Propagation Path

Xiang

Guo

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Hence, collaboration through gossips provided a way to remedy this by allowing multiple detectors share information to provide better coverage. In [65] the SWORD (Self-propagating Worm Observation and Rapid Detection) detection system was proposed to detect zero-day worms of different propagation types and speeds. This was achieved by determining whether total number of outgoing worm-like connections from a domain during a sliding window crosses a threshold set based on observation of normal traffic.…”

Section: Slow Worm Detectionmentioning

confidence: 99%

“…We emulated slow worms with scanning rates of 5 hosts per minute (h/m) and lOh/m for our experiments. Slow worm rates and thresholds in the order of this magnitude have been used in previous works[65] [22]. Fast worms were emulated with scanning rates of 15 hosts per second (h/s) and 20h/s.…”

mentioning

confidence: 99%