The propagation speed of fast scanning worms and the stealthy nature of slow scanning worms present unique challenges to intrusion detection. Typically, techniques optimized for detection of fast scanning worms fail to detect slow scanning worms, and vice versa. In practice, there is interest in developing an integrated approach to detecting both classes of worms. In this paper, we propose and analyze a unique integrated detection approach capable of detecting and identifying traffic flow(s) responsible for simultaneous fast and slow scanning malicious worm attacks. The approach uses a combination of evidence from distributed host-based anomaly detectors, a self-adapting profiler and Bayesian inference from network heuristics to detect intrusion activity due to both fast and slow scanning worms. We assume that the extreme nature of fast scanning worm epidemics make them well suited for extreme value theory and use sample mean excess function to determine appropriate thresholds for detection of such worms. Random scanning worm behavior is considered in analyzing the stochastic time intervals that affect behavior of the detection technique. Based on the analysis, a probability model for worm detection interval using the detection scheme was developed. Simulations are used to validate our assumptions and analysis.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	John Mark Agosta , Carlos Diuk-Wasser , Jaideep Chandrashekar , Carl Livadas, An adaptive anomaly detector for worm detection, Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques, p.1-6, April 10, 2007, Cambridge, MA
	2	F. Akujobi, I. Lambadaris, and E. Kranakis. Endpoint-driven intrusion detection and containment of fast spreading worms in enterprise networks. In IEEE Military Communications Conference (MILCOM) 2007, 2007.
	3	A. Balkema and L. de Haan. Residual life time at great age. The Annals of Probability, 2(5):792--804, 1974.
	4	Mark Burgess, Probabilistic anomaly detection in distributed computer networks, Science of Computer Programming, v.60 n.1, p.1-26, March 2006  [doi>10.1016/j.scico.2005.06.001]
	5	C. A. CA-2001-26. Nimda worm. http://www.cert.org/advisories/CA-2001-26.html, 2001.
	6	Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
	7	Carrie Gates , Carol Taylor, Challenging the anomaly detection paradigm: a provocative discussion, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany  [doi>10.1145/1278940.1278945]
	8	J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In In Proceedings of the IEEE Symposium on Security and Privacy, May 9--12, 2004., 2004.
	9	E. K Ãńllezi and M. Gilli. Extreme value theory for tail-related risk measures. FAME Research Paper Series rp18, International Center for Financial Asset Management and Engineering, Oct. 2000.
	10	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637244]
	11	Darren Mutz , Fredrik Valeur , Giovanni Vigna , Christopher Kruegel, Anomalous system call detection, ACM Transactions on Information and System Security (TISSEC), v.9 n.1, p.61-93, February 2006  [doi>10.1145/1127345.1127348]
	12	David M. Nicol, The impact of stochastic variance on worm propagation and detection, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA  [doi>10.1145/1179542.1179555]
	13	J. Pickands. Statistical inference using extreme order statistics. The Annals of Statistics, 3(1):119--131, 1975.
	14	S. Schechter, J. Jung, and A. Berger. Fast Detection of Scanning Worm Infections. In 7th International Symposium on Recent Advances in Intrusion Detection (RAID), French Riviera, France, September 2004.
	15	D. Schirmacher, E. Schirmacher, and N. Thandi. Stochastic excess-of-loss pricing within a financial framework. http://www.casact.org/pubs/forum/05spforum/05spf297.pdf, 2005.
	16	Vyas Sekar , Yinglian Xie , Michael K. Reiter , Hui Zhang, A Multi-Resolution Approach forWorm Detection and Containment, Proceedings of the International Conference on Dependable Systems and Networks, p.189-198, June 25-28, 2006  [doi>10.1109/DSN.2006.6]
	17	Colleen Shannon , David Moore, The Spread of the Witty Worm, IEEE Security and Privacy, v.2 n.4, p.46-50, July 2004  [doi>10.1109/MSP.2004.59]
	18	Sumeet Singh , Cristian Estan , George Varghese , Stefan Savage, Automated worm fingerprinting, Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation, p.4-4, December 06-08, 2004, San Francisco, CA
	19	Chad Sullivan, Cisco Security Agent, Cisco Press, 2005
	20	Swsoft. Openvz homepage. http://openvz.org/, 2008.
	21	C. Systems Inc. Cisco Catalyst 6500 Supervisor Engine 32 PISA. http://www.cisco.com/en/US/products/ps7209/index.html, 2008.
	22	Nicholas Weaver , Stuart Staniford , Vern Paxson, Very fast containment of scanning worms, Proceedings of the 13th conference on USENIX Security Symposium, p.3-3, August 09-13, 2004, San Diego, CA
	23	Cliff Changchun Zou , Lixin Gao , Weibo Gong , Don Towsley, Monitoring and early warning for internet worms, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA  [doi>10.1145/948109.948136]