The 36th IPP Symposium

Signature Metrics for Accurate and Automated Worm Detection

Prem Gopalan, Mazu Networks

Rapid worms propagate through a network in minutes or seconds, requiring automated mitigation. Recent studies show that content-based filtering of worm signatures is more effective than simple address-based filtering, and have motivated the development of automated worm signature generation systems.

Unfortunately, the proposed signature generation algorithms produce many false positives, which they attempt to address with signature whitelists. Constructing such whitelists is impractical and at times impossible. At Mazu Networks, we have found that the false positives are a result of not adequately capturing some key differences between worm and normal traffic.

In this talk, I will identify these differences, discuss the algorithms that use them, and share results from a prototype deployment on a large university network.