A Behavioral Approach to Worm Detection




Ellis, Daniel R.

Journal Title

Journal ISSN

Volume Title


Research Projects

Organizational Units

Journal Issue


This dissertation presents a novel approach to the automatic detection of worms using behavioral signatures. A behavioral signature describes aspects of any worm’s behavior that are common across manifestations of the worm and that span its nodes in temporal order. Characteristic patterns of worm behaviors in network traffic include 1) engaging in similar network behaviors from one target machine to the next, 2) tree-like propagation, and 3) changing a server into a client. These behavioral signatures are presented within the context of a general worm model. The most significant contribution of this dissertation is the demonstration th at an accurate and fast worm detection system can be built using the above patterns. Further, I show that the class of worms detectable using these patterns exceeds what has been claimed in the literature and covers a significant portion of the classes of worms. Another contribution is the introduction of a novel paradigm—Network Application Architecture (NAA), which concerns possible ways to distribute network application functionality across a network. Three NAAs are discussed. As an NAA becomes more constrained, worm detection gets easier. It is shown that for some NAAs certain classes of worms can be detected with only one packet. The third significant contribution of this dissertation is the capability to evaluate worm detection systems in an operational environment. This capability can be used by other researchers to evaluate their own or others’ worm detection systems. The claim is that the capability can emulate practically all worms and that it can do so safely, even in an operational enterprise environment.