Hit-list worm detection using distributed sliding window

In this paper, we propose a new distributed hit-list worm detection method: the Anomaly Connection Tree Method with Distributed Sliding Window (ACTM-DSW). ACTM-DSW employs multiple distributed network Intrusion Detection Systems (IDSs), each of which monitors a small portion of an enterprise network. In ACTM-DSW, worm propagation trees are detected by using a sliding time window. More precisely, the distributed IDSs in ACTM-DSW cooperatively detect tree structures composed of the worm’s infection connections that have been made within a time window. Through computer-based simulations, we demonstrate that ACTM-DSW outperforms an existing distributed worm detection method, called d-ACTM/VT, for detecting worms whose infection intervals are not constant, but rather have an exponential or uniform distribution. In addition, we implement the distributed IDSs on Xen, a virtual machine environment, and demonstrate the feasibility of the proposed method experimentally.