Publications (4)0 Total impact
-
Conference Proceeding: Behavior-Based Worm Detectors Compared.
Recent Advances in Intrusion Detection, 13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15-17, 2010. Proceedings; 01/2010 -
Article: Enhancing SWORD to Detect Zero-Day-Worm-Infected Hosts.
Simulation. 01/2007; 83:199-212. -
Article: On the performance of SWORD in detecting zero-day-worm-infected hosts
[show abstract] [hide abstract]
ABSTRACT: Once a host is infected by an Internet worm, prompt action must be taken before that host does more harm to its local network and the rest of the Internet. It is therefore critical to quickly detect that a worm has infected a host. In this paper, we enhance our SWORD system to allow for the detection of infected hosts and evaluate its performance. This enhanced version of SWORD inherits the advantages of the original SWORD—it does not rely on inspecting traffic payloads to search for worm byte patterns or setting up a honeypot to lure worm traffic. Furthermore, while acting as a host-level detec-tion system, it runs at a network's gateway and stays transpar-ent to individual hosts. We show that our enhanced SWORD system is able to quickly and accurately detect if a host is infected by a zero-day worm. Furthermore, the detection is shown to be effective against worms of different types and speeds, including polymorphic worms. -
Article: GLOWS: A High Fidelity Worm Simulator
[show abstract] [hide abstract]
ABSTRACT: This work presents our GLOWS (Gate-way Level Oregon Worm Simulator) simulator, de-signed to produce realistic worm traffic over a broad range of scenarios. GLOWS simulates the spread of a worm across the Internet and its propagation into a single domain with the goal of capturing the worm traffic that crosses the gateway point separating the monitored domain from the Internet.
