An integrated approach to detection of fast and slow scanning worms

摘要

The propagation speed of fast scanning worms and the stealthy nature of slow scanning worms present unique challenges to intrusion detection. Typically, techniques optimized for detection of fast scanning worms fail to detect slow scanning worms, and vice versa. In practice, there is interest in developing an integrated approach to detecting both classes of worms. In this paper, we propose and analyze a unique integrated detection approach capable of detecting and identifying traffic flow(s) responsible for simultaneous fast and slow scanning malicious worm attacks. The approach uses a combination of evidence from distributed host-based anomaly detectors, a self-adapting profiler and Bayesian inference from network heuristics to detect intrusion activity due to both fast and slow scanning worms. We assume that the extreme nature of fast scanning worm epidemics make them well suited for extreme value theory and use sample mean excess function to determine appropriate thresholds for detection ofsuch worms. Random scanning worm behavior is considered in analyzing the stochastic time intervals that affect behavior of the detection technique. Based on the analysis, a probability model for worm detection interval using the detection scheme was developed. Simulations are used to validate our assumptions and analysis.