Worm Detection Using Local Networks

The need for a global monitoring system for Internet worm detection is clear. Likewise, the need for local detection and response is also obvious. In this study, we used a large data set to review some of the worm monitoring and detection strategies proposed for large networks, and found them difficult to apply to local networks. In particular, the Kalman filter and victim number-based approaches proved unsuitable for smaller networks. They are of course appropriate for large sys- tems, but what work well for local networks? We propose two algorithms tailored for local network monitoring needs. First, the Destination Source Corre- lation (DSC) algorithm focuses on the infection relation, and tracks real infected hosts (and not merely scans) to provide an accurate response. Second, the HoneyStat system provides a way to track the short-term infection behavior used by worms. Potentially, this provides a ba- sis for statistical inference about a worm's behavior on a network.