On the Detection of Smart, Self-Propagating Internet Worms

Self-propagating worms can infect millions of computers on the Internet in just several minutes. As witnessed by the recent Mirai and WannaCry worms, worm attacks are real, destructive, and continue to persist. Although many worm detectors exist, most that we studied suffer from three drawbacks: none systematically consider countermeasures from worm authors, potentially causing low effectiveness against evasive worms; all focus on outbound worms leaving a network, leaving their efficacy against inbound worms entering a network unanswered; and many require bi-directional traffic to detect worms, making their placement on the Internet inflexible. We therefore revisit worm detection in this paper, while avoiding the aforementioned drawbacks of existing work. We describe our design of SWORD, a new worm detector that focuses on the fundamental behavior of worms. It includes two complementary modules to monitor connections from and to a protected network, with one module monitoring burst durations and the other ensuring quiescent periods. Via extensive experiments using both simulated worm traffic and a real-world Mirai worm trace, we demonstrate that SWORD is superior to existing detectors at not only detecting both classic and evasive outbound worms, but also inbound worms, especially those that are superspreading or surreptitious.

Automated summary

Self-propagating worms can quickly infect millions of computers on the Internet. The recent Mirai and WannaCry worms serve as evidence that worm attacks are real, destructive, and persistent. Existing worm detectors have limitations in terms of considering countermeasures from worm authors, addressing inbound worms, and requiring bi-directional traffic. This paper proposes a new worm detector called SWORD, which focuses on the fundamental behavior of worms and overcomes the drawbacks of existing detectors. Experimental results using simulated and real-world worm traffic show that SWORD outperforms existing detectors in detecting both classic and evasive outbound worms, as well as inbound worms.