Early Detection Of Active Internet Worms

An active Internet worm is malicious software that autonomously searches for and infects vulnerable hosts, copying itself from one host to another and spreading through the susceptible population. Most recent worms find vulnerable hosts by generating random IP addresses and then probing those addresses to see which are running the desired vulnerable services. Detection of such worms is a manual process in which security analysts must observe and analyze unusual network or host activity, and the worm might not be positively identified until it already has spread to most of the Internet.

In this chapter, we present an automated system that can identify active scanning worms soon after they begin to spread, a necessary precursor to halting or slowing the spread of the worm. Our implemented system collects ICMP Destination Unreachable messages from instrumented routers, identifies message patterns that indicate malicious scanning activity, and then identifies scan patterns that indicate a propagating worm. We examine an epidemic model for worm propagation, describe our ICMP-based detection system, and present simulation results that illustrate its detection capabilities.