Detection of silent worms using anomaly connection tree

Nobutaka Kawaguchi, Hiroshi Shigeno, Ken Ichi Okada

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

In this paper we propose a worm detection method that detects Silent worms effectively in intranet and LANs. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures composed of infection connections as edges. Second is that when selecting infection targets, the worm does not consider which hosts its infected host communicates to frequently. Then, by detecting composed of anomaly connections, ACTM detects the existence of worms. Through the simulation results, it has been shown that ACTM can detect the worms in an early stage of the propagation activities.

Original languageEnglish
Title of host publicationProceedings - International Conference on Advanced Information Networking and Applications, AINA
Pages412-419
Number of pages8
DOIs
Publication statusPublished - 2007
Event21st International Conference on Advanced Information Networking and Applications, AINA 2007 - Niagara Falls, ON, Canada
Duration: 2007 May 212007 May 23

Other

Other21st International Conference on Advanced Information Networking and Applications, AINA 2007
CountryCanada
CityNiagara Falls, ON
Period07/5/2107/5/23

Fingerprint

Intranets
Local area networks

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Kawaguchi, N., Shigeno, H., & Okada, K. I. (2007). Detection of silent worms using anomaly connection tree. In Proceedings - International Conference on Advanced Information Networking and Applications, AINA (pp. 412-419). [4220922] https://doi.org/10.1109/AINA.2007.58

Detection of silent worms using anomaly connection tree. / Kawaguchi, Nobutaka; Shigeno, Hiroshi; Okada, Ken Ichi.

Proceedings - International Conference on Advanced Information Networking and Applications, AINA. 2007. p. 412-419 4220922.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kawaguchi, N, Shigeno, H & Okada, KI 2007, Detection of silent worms using anomaly connection tree. in Proceedings - International Conference on Advanced Information Networking and Applications, AINA., 4220922, pp. 412-419, 21st International Conference on Advanced Information Networking and Applications, AINA 2007, Niagara Falls, ON, Canada, 07/5/21. https://doi.org/10.1109/AINA.2007.58
Kawaguchi N, Shigeno H, Okada KI. Detection of silent worms using anomaly connection tree. In Proceedings - International Conference on Advanced Information Networking and Applications, AINA. 2007. p. 412-419. 4220922 https://doi.org/10.1109/AINA.2007.58
Kawaguchi, Nobutaka ; Shigeno, Hiroshi ; Okada, Ken Ichi. / Detection of silent worms using anomaly connection tree. Proceedings - International Conference on Advanced Information Networking and Applications, AINA. 2007. pp. 412-419
@inproceedings{6224f01ed2ea4a809c179de70598c4f7,
title = "Detection of silent worms using anomaly connection tree",
abstract = "In this paper we propose a worm detection method that detects Silent worms effectively in intranet and LANs. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures composed of infection connections as edges. Second is that when selecting infection targets, the worm does not consider which hosts its infected host communicates to frequently. Then, by detecting composed of anomaly connections, ACTM detects the existence of worms. Through the simulation results, it has been shown that ACTM can detect the worms in an early stage of the propagation activities.",
author = "Nobutaka Kawaguchi and Hiroshi Shigeno and Okada, {Ken Ichi}",
year = "2007",
doi = "10.1109/AINA.2007.58",
language = "English",
isbn = "0769528465",
pages = "412--419",
booktitle = "Proceedings - International Conference on Advanced Information Networking and Applications, AINA",

}

TY - GEN

T1 - Detection of silent worms using anomaly connection tree

AU - Kawaguchi, Nobutaka

AU - Shigeno, Hiroshi

AU - Okada, Ken Ichi

PY - 2007

Y1 - 2007

N2 - In this paper we propose a worm detection method that detects Silent worms effectively in intranet and LANs. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures composed of infection connections as edges. Second is that when selecting infection targets, the worm does not consider which hosts its infected host communicates to frequently. Then, by detecting composed of anomaly connections, ACTM detects the existence of worms. Through the simulation results, it has been shown that ACTM can detect the worms in an early stage of the propagation activities.

AB - In this paper we propose a worm detection method that detects Silent worms effectively in intranet and LANs. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures composed of infection connections as edges. Second is that when selecting infection targets, the worm does not consider which hosts its infected host communicates to frequently. Then, by detecting composed of anomaly connections, ACTM detects the existence of worms. Through the simulation results, it has been shown that ACTM can detect the worms in an early stage of the propagation activities.

UR - http://www.scopus.com/inward/record.url?scp=34548712335&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34548712335&partnerID=8YFLogxK

U2 - 10.1109/AINA.2007.58

DO - 10.1109/AINA.2007.58

M3 - Conference contribution

SN - 0769528465

SN - 9780769528465

SP - 412

EP - 419

BT - Proceedings - International Conference on Advanced Information Networking and Applications, AINA

ER -