| Sign In to gain access to subscriptions and/or personal tools. |
Enhancing SWORD to Detect Zero-Day-Worm-Infected HostsDepartment of Computer Science University of Oregon Eugene OR 97403-1202, USA staffors{at}cs.uoregon.edu
Department of Computer Science University of Oregon Eugene OR 97403-1202, USA staffors{at}cs.uoregon.edu
Department of Computer Science University of Oregon Eugene OR 97403-1202, USA staffors{at}cs.uoregon.edu Once a host is infected by an Internet worm, prompt action must be taken before that host does more harm to its local network and the rest of the Internet. It is therefore critical to quickly detect that a worm has infected a host. In this paper, we enhance our SWORD system to allow for the detection of infected hosts and evaluate its performance. This enhanced version of SWORD inherits the advantages of the original SWORD: it does not rely on inspecting traffic payloads to search for worm byte patterns or setting up a honeypot to lure worm traffic. Furthermore, while acting as a host-level detection system, it runs at a network's gateway and stays transparent to individual hosts. We show that our enhanced SWORD system is able to quickly and accurately detect if a host is infected by a zero-day worm. Furthermore, the detection is shown to be effective against worms of different types and speeds, including polymorphic worms
Key Words: Internet worms • worm detection • net-work security • host infection
SIMULATION, Vol. 83, No. 2,
199-212 (2007) |
|||
 |
|
|
 |
|
Sign In to gain access to subscriptions and/or personal tools.
