TR-04-06: DNS-based Detection of Scanning Worms in an Enterprise Network

Abstract

Worms are arguably the most serious security threat facing the Internet. Motivated to develop a detection technique that is both efficient and accurate enough to enable automatic containment of worm propagation at the network egress points, we propose a new technique for the rapid detection of worm propagation from an enterprise network. Implemented in software, it relies on the correlation of Domain Name System (DNS) queries with outgoing connections from an enterprise network. Significant improvement over existing scanning worm detection techniques includes: (1) the possibility to detect worm propagation after only a single infection attempt; (2) the capacity to detect zero-day worms; and (3) a low false positive rate. The precision of this first-mile detection technique supports the use of automated containment and suppression strategies to stop fast scanning worms before they leave the network boundary. Furthermore, we believe that this technique can be applied with the same precision to identify other forms of malicious behavior within an enterprise network such as: mass-mailing worms, network reconnaissance activity, and covert communications.