TR-04-02: A Monitoring System for Detecting Repeated Packets with Applications to Computer Worms

Abstract

We present a monitoring system to detect worm propagation using Bloom filters with counters. The system is based on stateful analysis of network traffic in routers of a network. Our preliminary evaluation of the system involved real traffic from our internal lab and a well known DARPA data set. After appropriate configuration, no false alarms are obtained under these data sets. We also conduct simulations using real Internet Service Provider topologies with real link delays and simulated traffic. These simulations confirm that this approach can detect worms at early stages of propagation. We believe our approach, with minor adaptations, is of independent interest for use in a number of network applications which benefit from detecting repeated packets, beyond detecting worm propagation. These include detecting network anomalies such as dangerous traffic fluctuations, abusive use of certain services, and distributed denial-of-service attacks.