Signature metrics for accurate and automated worm detection.

ABSTRACTThis paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating ∼2 false positives/hour.