Signature metrics for accurate and automated worm detection

Prem Gopalan, Kyle Jamieson, Panayiotis Mavrommatis, Massimiliano Poletto

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Scopus citations

Abstract

This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating 2 false positives/hour.

Original languageEnglish (US)
Title of host publicationProceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Pages65-72
Number of pages8
DOIs
StatePublished - 2006
Externally publishedYes
Event4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06 - Alexandria, VA, United States
Duration: Nov 3 2006Nov 3 2006

Publication series

NameProceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

Other

Other4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Country/TerritoryUnited States
CityAlexandria, VA
Period11/3/0611/3/06

All Science Journal Classification (ASJC) codes

  • Software

Keywords

  • Network worms
  • Traffic analysis
  • Worm signatures

Fingerprint

Dive into the research topics of 'Signature metrics for accurate and automated worm detection'. Together they form a unique fingerprint.

Cite this