CONFERENCE PROCEEDINGS
Advanced Search
Home > Proceedings > Volume 5403 > Article
Paper
15 September 2004 Rapid detection of worms using ICMP-T3 analysis
Robert S. Gray, Vincent H. Berk
Author Affiliations +
Proceedings Volume 5403, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense III; (2004) https://doi.org/10.1117/12.548171
Event: Defense and Security, 2004, Orlando, Florida, United States
Abstract
Identification of an active Internet worm is a manual process where security analysts must observe and analyze unusual activity on multiple firewalls, intrusion-detection systems or hosts. A worm might not be positively identified until it already has spread to most of the Internet, eliminating many defensive options. In previous work, we developed an automated system that can identify active worms seconds or minutes after they first begin to spread, a necessary precursor to halting the spread of the worm rather than simply cleaning up afterward. The system collects ICMP Destination Unreachable messages from instrumented network routers, identifies those patterns of unreachable messages that indicate malicious scanning activity, and then searches for patterns of scanning activity that indicate a propagating worm. In this paper, we compare the performance of two different detection strategies, our previous threshold approach and a new line-fit approach, for different worm-propagation techniques, noise environments, and system parameters. These techniques work for worms that generate at least some of their target addresses through a random process, a feature of most recent worms. Although both being powerful methods for fast worm identification, the new line-fit approach proves to be significantly more noise resistant.
© (2004) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Citation Download Citation
Robert S. Gray and Vincent H. Berk "Rapid detection of worms using ICMP-T3 analysis", Proc. SPIE 5403, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security and Homeland Defense III, (15 September 2004); https://doi.org/10.1117/12.548171
ACCESS THE FULL ARTICLE
ORGANIZATIONAL
Sign in with credentials provided by your organization.
INSTITUTIONAL
Select your institution to access the SPIE Digital Library.
SELECT YOUR INSTITUTION
PERSONAL
Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.
PERSONAL SIGN IN
No SPIE Account? Create one
PURCHASE THIS CONTENT
SUBSCRIBE TO DIGITAL LIBRARY
50 downloads per 1-year subscription
Members: $195
Non-members: $335 ADD TO CART
25 downloads per 1 - year subscription
Members: $145
Non-members: $250 ADD TO CART
PURCHASE SINGLE ARTICLE
Includes PDF, HTML & Video, when available
Members: $17.00
Non-members: $21.00 ADD TO CART
PROCEEDINGS
 13 PAGES
DOWNLOAD PAPER SAVE TO MY LIBRARY
GET CITATION
Lens.org Logo
CITATIONS
Cited by 8 scholarly publications.
Advertisement
Advertisement
RIGHTS & PERMISSIONS
Get copyright permission  Get copyright permission on Copyright Marketplace
KEYWORDS
Data modeling
Internet
Performance modeling
Stochastic processes
Homeland security
Instrument modeling
Process modeling
RELATED CONTENT
Subscribe to Digital Library
Receive Erratum Email Alert
Back to Top