johnh: research teaching PAPERS software other contact about

Detecting Early Worm Propagation through Packet Matching

Xuan Chen and John Heidemann
USC/Information Sciences Institute

Abstract

 In this paper, we present DEWP, a router-based system designed to automatically detect and quarantine Internet worm propagation. DEWP detects worm probing traffic by matching destination port numbers between incoming and outgoing connections. This approach does not require knowledge of worm packet contents or profiles of normal traffic conditions; it can automatically detect and suppress worms due to their unusual traffic patterns. We describe how DEWP works and evaluate its performance with simulations. We study the speed of detection and the effectiveness of vulnerable host protection relative to factors including worm scanning techniques, DEWP deployment coverage and detection intervals. We also investigate false detections with network trace playback. We show that DEWP detects worm propagation within about 4 seconds. By blocking worm probing traffic automatically, DEWP can protect more than 99% hosts from random-scanning worms.

Availability

This paper is available in several formats: abstract web page with pointers and cites, PDF, paper copies can be obtained by mail to the authors. Copyright terms for this paper appear below.

Reference

Chen04a
Xuan Chen and John Heidemann. Detecting Early Worm Propagation through Packet Matching. Technical Report ISI-TR-2004-585, USC/Information Sciences Institute, February, 2004. <http://www.isi.edu/~johnh/PAPERS/Chen04a.html>. 
@techreport{Chen04a,
	author = "Xuan Chen and John Heidemann",
	title = "Detecting Early Worm Propagation through Packet Matching",
	institution = "USC/Information Sciences Institute",
	year = "2004",
	number = "ISI-TR-2004-585",
	month = "February",
	keywords = "DEWP, worm propagation, NEWS",
	url = "http://www.isi.edu/~johnh/PAPERS/Chen04a.html",
	pdfurl = "http://www.isi.edu/~johnh/PAPERS/Chen04a.pdf",
	copyrightholder = "authors",
	myorganization = "USC/Information Sciences Institute",
}

Copyright

This paper is copyright © 2004 by its authors. Permission to make digital or hard copies of part or all of this work for personal use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Abstracting with credit is permitted.

To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission of the authors.


© 104 $Date$