Graph-Based Worm Detection on Operational Enterprise Networks

Abstract

The most significant open challenge to the worm defense community is to develop a sensitive detection method that can detect new worms in real time with a tolerable false alarm rate. This paper presents a graph-based detection system and validates it on operational enterprise network data. We argue that the result is significantly closer to solving this challenge than other published works. We show that a graph-based approach to worm detection in an enterprise network can detect a broad range of active worms with a false alarm rate of less than twice per day. The supporting analysis comes from running the detection algorithm on a real enterprise network. The sensitivity results are significantly better than what is reported in the literature. We can detect all active, fast-spreading unimodal worms, including hit-list, topological, subnet-scanning, and meta-server worms.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Apr 01, 2006
Accession Number
AD1106849

Entities

People

  • Adam M. Mcleod
  • Daniel R Ellis
  • David R. Keppler
  • John G. Aiken
  • Paul G. Amman

Organizations

  • MITRE Corporation

Tags

Communities of Interest

  • Advanced Electronics
  • Cyber
  • Materials and Manufacturing Processes

DTIC Thesaurus Topics

  • Accuracy
  • Algorithms
  • California
  • Coinfection
  • Commerce
  • Cybersecurity
  • Detection
  • Detectors
  • Environment
  • False Alarms
  • Frequency
  • Infection
  • Intrusion Detection
  • Laboratory Equipment
  • Models
  • Network Protocols
  • Operating Systems
  • Probability
  • Random Number Generators
  • Warning Systems
  • Wound Infections

Fields of Study

  • Computer science

Readers

  • Marine Ecological Systems Migration
  • Neural Network Machine Learning.
  • Sensor Fusion and Tracking Systems.