Fast Detection of Scanning Worms Using Reverse Sequential Hypothesis Testing and Credit-Based Connection Rate Limiting

Worm detection and response systems must act quickly to identify and quarantine scanning worms, as these pathogens have been able to infect the ma- jority of vulnerable hosts on the Internet in a matter of minutes (11). On the other hand, detection sys- tems that issue false alarms, quarantining too many systems or even just one critical system, are likely to be deactivated quickly. We present a hybrid ap- proach to detecting scanning worms that integrates significant improvements we have made to two ex- isting techniques; sequential hypothesis testing and scan connection rate limiting. Our results show that this two-pronged approach successfully restricts the number of scans that a worm, is highly eective, and has a low false alarm rate.