Runtime detection of active scanning worms.

摘要

Intrusion Detection Systems for active scanning network worms is an active research area. A wide range of approaches from packet content monitoring to statistical measurements have been proposed to address the problems of fast spreading network worms and the economic havoc that they wreak. This thesis reviews the existing state of the art in active worm detection and proposes a new method based on locality. By tracking the mean number of destinations each source in a monitored network contacts and monitoring for abrupt upward changes, worms are detected early in their propagation stage. This low-overhead method requires only minimal inspection of the packet header. A novel means of storing the required statistics for each source using a variant of the Bloom Filter is presented. The algorithm is evaluated through simulation against the Code Red and SQL Slammer worms.