Early Worm Detection

A Subproject for Process Query Systems (PQS)

An attacker often selects a target machine only after broad scans to identify all vulnerable machines within a certain range of IP addresses. Unfortunately, current network routers often obscure scanning activity, since the routers will drop any scanning traffic directed toward a machine that does not actually exist. With this "loss" of scanning traffic, it is much harder for a security analyst to identify the scan in the first place or understand its scope. At the same time, however, routers do generate error messages (Internet Control Message Protocol (ICMP) Unreachable) when traffic is directed at nonexistent machines. By collecting these error messages, IRIA can provide security analysts with a much better view of scanning activity, allowing them to detect impending attacks that they might otherwise miss.

• Simulating Realistic Network Worm Traffic for Worm Warning System Design and Testing [PDF Format]
• Designing a Framework for Active Worm Detection on Global Networks [PDF Format]
• Using Sensor Networks and Data Fusion for Early Detection of Active Worms [PDF Format]
• Early Detection of Internet Worms [HTML]
• Early Detection of Internet Worm Activity by Metering ICMP Destination Unreachable Activity [PDF Format]
  
  
• Principal Investigator: George Bakos, Vincent Berk, Robert Gray