The propagation speed of fast scanning worms and the stealthy nature of slow scanning worms present unique challenges to intrusion detection. Typically, techniques optimized for detection of fast scanning worms fail to detect slow scanning worms, and vice versa. In practice, there is interest in developing an integrated approach to detecting both classes of worms. In this paper, we propose and analyze a unique integrated detection approach capable of detecting and identifying traffic flow(s) responsible for simultaneous fast and slow scanning malicious worm attacks. The approach uses a combination of evidence from distributed host-based anomaly detectors, a self-adapting profiler and Bayesian inference from network heuristics to detect intrusion activity due to both fast and slow scanning worms. We assume that the extreme nature of fast scanning worm epidemics make them well suited for extreme value theory and use sample mean excess function to determine appropriate thresholds for detection of such worms. Random scanning worm behavior is considered in analyzing the stochastic time intervals that affect behavior of the detection technique. Based on the analysis, a probability model for worm detection interval using the detection scheme was developed. Simulations are used to validate our assumptions and analysis. Copyright 2009 ACM.

Additional Metadata
Keywords Anomaly detection, Bayesian inference, Detection interval, Intrusion detection, Probability model, Worms
Persistent URL dx.doi.org/10.1145/1533057.1533071
Conference 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09
Citation
Akujobi, F. (Frank), Lambadaris, I, & Kranakis, E. (2009). An integrated approach to detection of fast and slow scanning worms. Presented at the 4th International Symposium on ACM Symposium on Information, Computer and Communications Security, ASIACCS'09. doi:10.1145/1533057.1533071