DESIGN AND EVALUATION OF A FAST AND ROBUST WORM DETECTION ALGORITHM
First Claim
1. A method for detecting the propagation of a worm in a network, the method comprising the steps of:
- (1) identifying and isolating unsolicited traffic from solicited traffic; and
(2) analyzing changes in unsolicited traffic patterns to identify a worm.
8 Assignments
0 Petitions
Accused Products
Abstract
A method and computer product are presented for identifying Internet worm propagation based upon changes in packet arrival rates at a network connection. First, unsolicited (i.e., packets that were not requested by the receiver) traffic is separated from solicited traffic at the network connection. The unsolicited traffic arrival patterns are monitored and analyzed for any changes. Once changes in the unsolicited traffic arrival patterns are detected, the changes are mathematically analyzed to detect growth trends. The presence of growth trends that follow certain key characteristics indicate whether the changes are due to worm propagation.
17 Citations
17 Claims
-
1. A method for detecting the propagation of a worm in a network, the method comprising the steps of:
-
(1) identifying and isolating unsolicited traffic from solicited traffic; and (2) analyzing changes in unsolicited traffic patterns to identify a worm. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer program product embodied on a computer readable medium for detecting the propagation of a worm in a network, the product comprising:
-
first computer executable instructions for identifying and isolating unsolicited traffic from solicited traffic; and second computer executable instructions for analyzing changes in unsolicited traffic patterns to identify a worm. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for detecting the propagation of a worm in a network, the method comprising the steps of:
-
(1) identifying and isolating unsolicited traffic from solicited traffic; (2) detecting a change in arrival rates of said unsolicited traffic, wherein said detecting comprises using a cumulative summing (CUSUM) statistical analysis for detecting a change in arrival rates of said unsolicited traffic and issuing an indication of a change in said arrival rates when CUSUM detects a change in said arrival rates that exceeds a predetermined threshold; and (3) determining whether said detected change is due to worm propagation, wherein said determining comprises using a non-stationary Poisson process to analyze said detected changes in arrival rates to determine if said changes are due to worm propagation. - View Dependent Claims (16, 17)
-
Specification