worm blog: Monitoring and Early Warning for Internet Worms

« Extortion Worms: Internet Worms that Discourage Disinfection | Main | New Cellphone Worm: CommWarrior »

Monitoring and Early Warning for Internet Worms

A paper that examines the application of the Kalman filter (see more below), which had been proposed as a means to discover trends indicative of a worm from watching network traffic.

After the Code Red incident in 2001 and the SQL Slammer in January 2003, it is clear that a simple self-propagating worm can quickly spread across the Internet, infects most vulnerable computers before people can take effective countermeasures. The fast spreading nature of worms calls for a worm monitoring and early warning system. In this paper, we propose effective algorithms for early detection of the presence of a worm and the corresponding monitoring system. Based on epidemic model and observation data from the monitoring system, by using the idea of 'detecting the trend, not the rate' of monitored illegitimated scan traffic,we propose to use a Kalman filter to detect a worm's propagation.

Source: Monitoring and Early Warning for Internet Worms , Cliff Changchun Zou, Lixin Gao, Weibo Gong, Don Towsley.

You can get more information about the Kalman filter, which is used in signal processing to disover linked input sources, at these two links: The Kalman Filter, Some tutorials, references, and research on the Kalman filter (includes a link to the original paper), and Kalman filter toolbox for Matlab.

March 7, 2005 in papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit