Real-time Detection of Known and Unknown Worms

Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage
May 30, 2003

Worms are a major threat to the security and reliability of today's networks. Because they can spread rapidly from computer to computer, to effectively contain them we need automated methods to very quickly identify and filter new worms before they grow into a massive epidemic. In this paper we propose such an automated approach based on identifying in real time the traffic characteristics common to all worms: highly repetitive packet content, going from an increasing number of infected hosts to very many random IP addresses of potential new victims. Our preliminary results on a small network show that our automated approach of identifying new worms is promising: it identified three confirmed worms with an encouragingly low percentage of false positives when configured with good parameters.

How to view this document

The authors of these documents have submitted their reports to this technical report series for the purpose of non-commercial dissemination of scientific work. The reports are copyrighted by the authors, and their existence in electronic format does not imply that the authors have relinquished any rights. You may copy a report for scholarly, non-commercial purposes, such as research or instruction, provided that you agree to respect the author's copyright. For information concerning the use of this document for other than research or instructional purposes, contact the authors. Other information concerning this technical report series can be obtained from the Computer Science and Engineering Department at the University of California at San Diego,

[ Search ]

This server operates at UCSD Computer Science and Engineering.
Send email to