ACTM: Anomaly Connection Tree Method to detect silent worms

Nobutaka Kawaguchi; Yusuke Azuma; Shintaro Ueda; Hiroshi Shigeno; Ken Ichi Okada

doi:10.1109/AINA.2006.70

ACTM: Anomaly Connection Tree Method to detect silent worms

Nobutaka Kawaguchi, Yusuke Azuma, Shintaro Ueda, Hiroshi Shigeno, Ken Ichi Okada

Department of Information and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Citations (Scopus)

Abstract

In this paper we propose a novel worm detection method that can detect silent worms in intranet. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures. Second is that the worm's selection of infection targets does not consider which hosts its infected host communicates to frequently. Then, by constructing trees that are composed of anomaly connections, ACTM detects the existence of such worms. Through the simulation results, we have shown that ACTM can detect the worms in an early stage.

Original language	English
Title of host publication	Proceedings - 20th International Conference on Advanced Information Networking and Applications
Pages	901-906
Number of pages	6
DOIs	https://doi.org/10.1109/AINA.2006.70
Publication status	Published - 2006 Nov 22
Event	20th International Conference on Advanced Information Networking and Applications - Vienna, Austria Duration: 2006 Apr 18 → 2006 Apr 20

Publication series

Name	Proceedings - International Conference on Advanced Information Networking and Applications, AINA
Volume	1
ISSN (Print)	1550-445X

Other

Other	20th International Conference on Advanced Information Networking and Applications
Country/Territory	Austria
City	Vienna
Period	06/4/18 → 06/4/20

ASJC Scopus subject areas

Engineering(all)

Access to Document

10.1109/AINA.2006.70

Cite this

Kawaguchi, N., Azuma, Y., Ueda, S., Shigeno, H., & Okada, K. I. (2006). ACTM: Anomaly Connection Tree Method to detect silent worms. In Proceedings - 20th International Conference on Advanced Information Networking and Applications (pp. 901-906). Article 1620301 (Proceedings - International Conference on Advanced Information Networking and Applications, AINA; Vol. 1). https://doi.org/10.1109/AINA.2006.70

ACTM: Anomaly Connection Tree Method to detect silent worms. / Kawaguchi, Nobutaka; Azuma, Yusuke; Ueda, Shintaro et al.
Proceedings - 20th International Conference on Advanced Information Networking and Applications. 2006. p. 901-906 1620301 (Proceedings - International Conference on Advanced Information Networking and Applications, AINA; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kawaguchi, N, Azuma, Y, Ueda, S, Shigeno, H & Okada, KI 2006, ACTM: Anomaly Connection Tree Method to detect silent worms. in Proceedings - 20th International Conference on Advanced Information Networking and Applications., 1620301, Proceedings - International Conference on Advanced Information Networking and Applications, AINA, vol. 1, pp. 901-906, 20th International Conference on Advanced Information Networking and Applications, Vienna, Austria, 06/4/18. https://doi.org/10.1109/AINA.2006.70

@inproceedings{1013b4042c90447298d5867b6ec164c0,

title = "ACTM: Anomaly Connection Tree Method to detect silent worms",

abstract = "In this paper we propose a novel worm detection method that can detect silent worms in intranet. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures. Second is that the worm's selection of infection targets does not consider which hosts its infected host communicates to frequently. Then, by constructing trees that are composed of anomaly connections, ACTM detects the existence of such worms. Through the simulation results, we have shown that ACTM can detect the worms in an early stage.",

author = "Nobutaka Kawaguchi and Yusuke Azuma and Shintaro Ueda and Hiroshi Shigeno and Okada, {Ken Ichi}",

year = "2006",

month = nov,

day = "22",

doi = "10.1109/AINA.2006.70",

language = "English",

isbn = "0769524664",

series = "Proceedings - International Conference on Advanced Information Networking and Applications, AINA",

pages = "901--906",

booktitle = "Proceedings - 20th International Conference on Advanced Information Networking and Applications",

note = "20th International Conference on Advanced Information Networking and Applications ; Conference date: 18-04-2006 Through 20-04-2006",

}

TY - GEN

T1 - ACTM

T2 - 20th International Conference on Advanced Information Networking and Applications

AU - Kawaguchi, Nobutaka

AU - Azuma, Yusuke

AU - Ueda, Shintaro

AU - Shigeno, Hiroshi

AU - Okada, Ken Ichi

PY - 2006/11/22

Y1 - 2006/11/22

N2 - In this paper we propose a novel worm detection method that can detect silent worms in intranet. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures. Second is that the worm's selection of infection targets does not consider which hosts its infected host communicates to frequently. Then, by constructing trees that are composed of anomaly connections, ACTM detects the existence of such worms. Through the simulation results, we have shown that ACTM can detect the worms in an early stage.

AB - In this paper we propose a novel worm detection method that can detect silent worms in intranet. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures. Second is that the worm's selection of infection targets does not consider which hosts its infected host communicates to frequently. Then, by constructing trees that are composed of anomaly connections, ACTM detects the existence of such worms. Through the simulation results, we have shown that ACTM can detect the worms in an early stage.

UR - http://www.scopus.com/inward/record.url?scp=33751082699&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33751082699&partnerID=8YFLogxK

U2 - 10.1109/AINA.2006.70

DO - 10.1109/AINA.2006.70

M3 - Conference contribution

AN - SCOPUS:33751082699

SN - 0769524664

SN - 9780769524665

T3 - Proceedings - International Conference on Advanced Information Networking and Applications, AINA

SP - 901

EP - 906

BT - Proceedings - 20th International Conference on Advanced Information Networking and Applications

Y2 - 18 April 2006 through 20 April 2006

ER -

ACTM: Anomaly Connection Tree Method to detect silent worms

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this