Automated statistical based worm discovery using packet frequency burst detection

Abstract

Worms is self-replicating malicious programs that represent a major security threat for the Internet. A fast monitoring and early warning system are very essential to combat the fast spreading nature of worm. One of the techniques researched in this thesis is by passively listening for network traffic and looking for anomalous increases in network traffic. When a worm outbreak occurs, it often produces anomalous network traffic pattern which among of it are caused by enormous increase of probing signals, network scanning, and attack packets. These characteristics make it possible to detect an early outbreak by monitoring the network and looking out for any anomalous increase of certain type of network packet within certain timeframe. Only the data part of the network packet is recorded and repeated group packet is grouped together and counted to produce a graph. Administrator is warned by any anomalous pattern frequency burst. The threshold of the frequency dynamically changes based on network traffic where higher network has higher threshold. The system are tested against three real worm traces data set which are Code Red II (NLANR, 2008), Slammer (Robert, 2003) and Witty Worm (CAIDA, 2008). The testing which is done in restricted network environment has successfully detected the worm.