An Effective Architecture and Algorithm for Detecting Worms With Various Scan Techniques
Since the days of the Morris worm, the spread of malicious code has been the most imminent menace to the Internet. Worms use various scanning methods to spread rapidly. Worms that select scan destinations carefully can cause more damage than worms employing random scan. This paper analyzes various scan techniques. The authors then propose a generic worm detection architecture that monitors malicious activities. They propose and evaluate an algorithm to detect the spread of worms using real time traces and simulations. They find that their solution can detect worm activities when only 4% of the vulnerable machines are infected. Their results bring insight on the future battle against worm attacks.