Accurate detection of Internet worms in their early stages remains an unsolved problem. One could scan Internet traffic for worm signatures or suspicious byte patterns, but worm signatures are often useless for unknown worms that exploit new software vulnerabilities, and suspicious byte patters are problematic because worms can carry virtually arbitrary payloads. Processing and analyzing traffic payloads is also expensive. These limitations have motivated investigations into the behaviors that self-propagating worms may display. However, for a behavior-based approach to succeed, researchers must now identify the precise or essential behaviors that worms will display.
The objective of this research is to systematically define, extract, and leverage essential worm behaviors while watching the inbound and outbound traffic of an infected domain, and to understand the effectiveness and limitations of a behavior-based approach in detecting and classifying worms and identifying infected hosts.
This research proposes the design, development, and evaluation of a framework called SWORD to study the causality and payload-independent similarity of worm connections, their destination visiting patterns as compared to normal connections, and their continuity as a worm spreads, with the consideration that certain legitimate connections may appear worm-like and that smart worms can attempt to hide themselves.
This research is a critical step towards preventing the severe economic and social disruption that Internet worms can cause. The research results and artifacts will be made available to the academic community through dissemination of security curricula and software tools, and to the public through publications and technology transfer.