Internet Worm Detection as part of a Distributed Network Inspection System

Abstract

The most widely publicized, and arguably most damaging, types of malicious traffic on the Internet today include worms, spam, viruses and denial of service attacks. Internet worms self propagate across networks exploiting flaws in operating systems and services, spreading viruses and congesting network links. Worms constitute a significant security and performance threat and have recently been used to facilitate distributed denial of service (dDoS) attacks. It is the aim of this dissertation to investigate approaches for detecting a wide range of malicious activity such as worms and (d)DoS. This dissertation describes the design and implementation of an object orientated framework for distributed intrusion detection. The framework features heterogeneous sensors with a configurable event source that can adapt by dynamically composing components at run-time. The sensors are controlled remotely by a management application that can configure, extend and control sensors individually. The framework is extensible and allows researchers to quickly implement and evaluated detection techniques in a live network environment. A number of components have been implemented for the framework including a component designed to detect internet worms. It was found that this component could successfully detect a range of malicious activity including worms on both low utilisation dial-up links and gateway router links.