{"id":13130,"date":"2021-12-06T18:52:12","date_gmt":"2021-12-06T23:52:12","guid":{"rendered":"https:\/\/carleton.ca\/scs\/?page_id=13130"},"modified":"2021-12-06T18:52:12","modified_gmt":"2021-12-06T23:52:12","slug":"tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network","status":"publish","type":"page","link":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/","title":{"rendered":"TR-05-02: ARP-based Detection of Scanning Worms Within an Enterprise Network"},"content":{"rendered":"<p>Carleton University<br \/>\n<a href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/\">Technical Report<\/a> TR-05-02<br \/>\nFebruary 1, 2005<\/p>\n<h2>ARP-based Detection of Scanning Worms Within an Enterprise Network<\/h2>\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">\n<div class=\"tr_t3\">David Whyte, P.C. Van Oorschot, Evangelos Kranakis<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<div>\n<h3>Abstract<\/h3>\n<p>Rapidly propagating worms are arguably the greatest security threat currently facing the Internet. To date, worm writers have been successful in penetrating most security countermeasures. Signature-based detection schemes often fail to detect zero-day worms, and their ability to rapidly react to new threats is limited as they typically require some form of human involvement to formulate updated attack signatures. We propose an anomaly-based detection technique designed to protect internal networks from scanning worm infections. This is the first publication in the open literature (to our knowledge) proposing and providing a detailed description of a method to detect propagation of scanning worms within individual network cells. We show that this technique is both accurate and rapid enough to enable automatic containment and suppression of worm propagation within a network cell. Implemented in software, our detection approach relies on an aggregate anomaly score, derived from the correlation of Address Resolution Protocol (ARP) activity from individual network attached devices. Our preliminary analysis and prototype indicate that this technique can be used to rapidly detect zero-day worms within a very small number of scans, e.g. three scans with a false positive rate of five over a two week period in our test environment. The necessary individual ARP activity system profiles are automatically generated during a training period and thus the software can be rapidly deployed with minimal tuning and administration.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p><a href=\"https:\/\/carleton.ca\/scs\/wp-content\/uploads\/TR-05-02.pdf\">TR-05-02.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Carleton University Technical Report TR-05-02 February 1, 2005 ARP-based Detection of Scanning Worms Within an Enterprise Network David Whyte, P.C. Van Oorschot, Evangelos Kranakis Abstract Rapidly propagating worms are arguably the greatest security threat currently facing the Internet. To date, worm writers have been successful in penetrating most security countermeasures. Signature-based detection schemes often fail [&hellip;]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":12337,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_relevanssi_hide_post":"","_relevanssi_hide_content":"","_relevanssi_pin_for_all":"","_relevanssi_pin_keywords":"","_relevanssi_unpin_keywords":"","_relevanssi_related_keywords":"","_relevanssi_related_include_ids":"","_relevanssi_related_exclude_ids":"","_relevanssi_related_no_append":"","_relevanssi_related_not_related":"","_relevanssi_related_posts":"","_relevanssi_noindex_reason":"","_mi_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":"","_links_to":"","_links_to_target":""},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>TR-05-02: ARP-based Detection of Scanning Worms Within an Enterprise Network - School of Computer Science<\/title>\n<meta name=\"description\" content=\"Carleton University Technical Report TR-05-02 February 1, 2005 ARP-based Detection of Scanning Worms Within an Enterprise Network David Whyte, P.C. Van\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/\",\"url\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/\",\"name\":\"TR-05-02: ARP-based Detection of Scanning Worms Within an Enterprise Network - School of Computer Science\",\"isPartOf\":{\"@id\":\"https:\/\/carleton.ca\/scs\/#website\"},\"datePublished\":\"2021-12-06T23:52:12+00:00\",\"dateModified\":\"2021-12-06T23:52:12+00:00\",\"description\":\"Carleton University Technical Report TR-05-02 February 1, 2005 ARP-based Detection of Scanning Worms Within an Enterprise Network David Whyte, P.C. Van\",\"breadcrumb\":{\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/carleton.ca\/scs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Research\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"SCS Technical Reports\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Technical Reports 2005\",\"item\":\"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"TR-05-02: ARP-based Detection of Scanning Worms Within an Enterprise Network\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/carleton.ca\/scs\/#website\",\"url\":\"https:\/\/carleton.ca\/scs\/\",\"name\":\"School of Computer Science\",\"description\":\"Carleton University\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/carleton.ca\/scs\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"TR-05-02: ARP-based Detection of Scanning Worms Within an Enterprise Network - School of Computer Science","description":"Carleton University Technical Report TR-05-02 February 1, 2005 ARP-based Detection of Scanning Worms Within an Enterprise Network David Whyte, P.C. Van","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/","twitter_misc":{"Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/","url":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/","name":"TR-05-02: ARP-based Detection of Scanning Worms Within an Enterprise Network - School of Computer Science","isPartOf":{"@id":"https:\/\/carleton.ca\/scs\/#website"},"datePublished":"2021-12-06T23:52:12+00:00","dateModified":"2021-12-06T23:52:12+00:00","description":"Carleton University Technical Report TR-05-02 February 1, 2005 ARP-based Detection of Scanning Worms Within an Enterprise Network David Whyte, P.C. Van","breadcrumb":{"@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/tr-05-02-arp-based-detection-of-scanning-worms-within-an-enterprise-network\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/carleton.ca\/scs\/"},{"@type":"ListItem","position":2,"name":"Research","item":"https:\/\/carleton.ca\/scs\/research\/"},{"@type":"ListItem","position":3,"name":"SCS Technical Reports","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/"},{"@type":"ListItem","position":4,"name":"Technical Reports 2005","item":"https:\/\/carleton.ca\/scs\/research\/scs-technical-reports\/technical-reports-2005\/"},{"@type":"ListItem","position":5,"name":"TR-05-02: ARP-based Detection of Scanning Worms Within an Enterprise Network"}]},{"@type":"WebSite","@id":"https:\/\/carleton.ca\/scs\/#website","url":"https:\/\/carleton.ca\/scs\/","name":"School of Computer Science","description":"Carleton University","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/carleton.ca\/scs\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"acf":{"banner_image_type":"none","banner_button":"no"},"_links":{"self":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13130"}],"collection":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/comments?post=13130"}],"version-history":[{"count":1,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13130\/revisions"}],"predecessor-version":[{"id":13131,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/13130\/revisions\/13131"}],"up":[{"embeddable":true,"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/pages\/12337"}],"wp:attachment":[{"href":"https:\/\/carleton.ca\/scs\/wp-json\/wp\/v2\/media?parent=13130"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}