Worm Detection And Containment In LAN

With the recent popularity of Internet, worms have been exerting increasing severe threat to the computer system and network. Traditional signature based detection method is not suitable for detecting fast spreading worms since it requires worm signatures in advance. Behavior based detection method could detect unknown worms, however, there is a trade off between the detection time and false positive. On the other hand, the commonly used block-when-detect method of worm containment would have a negative effect on the normal traffic.To deal with the problem mentioned above, we proposed a step by step worm detection and controlling scheme to contain worms in Local Area Network. The scheme uses different detection methods to identify distinct features of different stages during worm propagation, employs various control strategies to prevent the worms from going out of Local Area Network. The scan based detection method implements in time detection of worms by identifying their scanning features in the early stage; the content based detection method accomplishes the deeper inspection of packets'content to identify the repeated packet. To hosts with worm scanning behavior, the rate limiting based control method can effectively control worms'spreading and exerts little negative influence on the normal traffic, to hosts infected by worms, the block based control method can totally impede the worms by dropping packets containing worm signature.Scan based detection and controlling method is implemented based on the Netfilter in Linux 2.4.x kernel, using different strategies to control the suspicious packets by loading its own hook functions. Content based detection method employs Libpcap to sniffer the suspicious traffic from the scanning hosts, reassembles the TCP streams and extracts longest common substrings from those streams using suffix tree algorism. Tests demonstrate that the step by step worm detection and controlling scheme can detect worms at the early stage and prevent worm from spreading efficiently without affecting the normal traffic.