Sciweavers

NDSS
2005
IEEE

DNS-based Detection of Scanning Worms in an Enterprise Network

14 years 6 months ago
DNS-based Detection of Scanning Worms in an Enterprise Network
Worms are arguably the most serious security threat facing the Internet. Seeking a detection technique that is both sufficiently efficient and accurate to enable automatic containment of worm propagation at the network egress points, we propose a new technique for the rapid detection of worm propagation from an enterprise network. It relies on the correlation of Domain Name System (DNS) queries with outgoing connections from an enterprise network. Improvements over existing scanning worm detection techniques include: (1) the possibility to detect worm propagation after only a single infection attempt; (2) the capacity to detect zero-day worms; and (3) a low false positive rate. The precision of this first-mile detection technique supports the use of automated containment and suppression strategies to stop fast scanning worms before they leave the network boundary. We believe that this technique can be applied with the same precision to identify other forms of malicious behavior wit...
David Whyte, Evangelos Kranakis, Paul C. van Oorsc
Added 25 Jun 2010
Updated 25 Jun 2010
Type Conference
Year 2005
Where NDSS
Authors David Whyte, Evangelos Kranakis, Paul C. van Oorschot
Comments (0)