Graph-based Worm Detection
On Operational Enterprise Networks
April 2006
Daniel R. Ellis, The MITRE Corporation
John G. Aiken, The MITRE Corporation
Adam M. McLeod, The MITRE Corporation
David R. Keppler, The MITRE Corporation
Paul G. Amman, George Mason University
ABSTRACT
The most significant open challenge to the worm defense
community is to develop a sensitive detection method that
can detect new worms in real time with a tolerable false
alarm rate. This paper presents a graph-based detection
system and validates it on operational enterprise network
data. We argue that the result is significantly closer to
solving this challenge than other published works.
We show that a graph-based approach to worm detection in
an enterprise network can detect a broad range of active
worms with a false alarm rate of less than twice per day.
The supporting analysis comes from running the detection
algorithm on a real enterprise network. The sensitivity
results are significantly better than what is reported in the
literature. We can detect all active, fast-spreading unimodal
worms, including hit-list, topological, subnet-scanning, and
meta-server worms.
» Download Paper [PDF, 387KB]
Additional Search Keywords
N/A
|
