« Learning to Detect New and Unknown Malicious Programs | Main | Blaster.B Author to be Sentenced »
The EarlyBird System for Real-time Detection of Unknown Worms
Now this is the one I meant to refer to earlier. I knew that Savage and company had done a project called "EarlyBird".
Network worms are a major threat to the security of today's Internet-connected hosts and networks. The combination of unmitigated connectivity and widespread software homogeneity allows worms to exploit tremendous parallelism in propagation. Modern worms spread so quickly that no human-mediated reaction to the outbreak of a new worm can hope to prevent a widespread epidemic. In this paper we propose an automated method for detecting new worms based on traffic characteristics common to most of them: highly repetitive packet content, an increasing population of sources generating infections and an increasing number of destinations being targeted. Our method generates content signatures for the worm without any human intervention. Preliminary results on a small network show promising results: we have identified three confirmed worms with a low percentage of false positives. This gives us reason to believe that our method could form the core of an effective network-level worm detection and countermeasure system capable of substantially slowing down the spread of new worms.
Source: The EarlyBird System for Real-time Detection of Unknown Worms, Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage.
January 27, 2005 in papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
The comments to this entry are closed.
