On detecting active worms with varying scan rate

Active worms have posed a major security threat to the Internet and many research efforts have focused on them. However, defending against them remains challenging due to their continuous evolution. In this paper, we study a new class of defense-oriented evolved worms, the Varying Scan Rate worm (the VSR worm in short). In order to circumvent detection by existing worm detection schemes, the VSR worm deliberately varies its scan rate according to these schemes’ weaknesses. To counteract the VSR worm, we design a new worm-detection scheme, the attack-target Distribution Entropy-based Dynamic detection scheme (DED detection for short). DED detection utilizes the attack-target distribution and robust statistical feature in conjunction with dynamic decision adaptation to distinguish worm-scan traffic from non-worm-scan traffic. We present a comparatively complete space of detection schemes and conduct extensive performance evaluations on the DED detection scheme compared with other schemes, using real-world Internet traces as background scan traffic. Our data clearly demonstrate the effectiveness of the DED detection scheme in detecting both the VSR worm and the traditional worm.