NADTW: new approach for detecting TCP worm

Mohammed Anbar; Rosni Abdullah; Alhamza Munther; Mohammed Azmi Al-Betar; Redhwan M.A. Saad

doi:10.1007/s00521-016-2358-9

NADTW: new approach for detecting TCP worm

Mohammed Anbar
, Rosni Abdullah
, Alhamza Munther
, Mohammed Azmi Al-Betar
, Redhwan M.A. Saad

Universiti Sains Malaysia
Universiti Malaysia Perlis
Al-Balqa Applied University

Research output: Contribution to journal › Article › peer-review

3 Scopus citations

Abstract

A computer worm is a self-replicating malicious code that does not alter files but resides in active memory where it duplicates itself. Worms use parts of the operating system that are automatic and usually invisible to the user. Worms commonly exhibit abnormal behaviors, which become noticeable only when their uncontrolled replication consumes system resources and consequently decelerates or halts other tasks completely. This paper proposes an effective approach for detecting the presence of TCP network worms. This approach consists of two phases: Statistical Cross-relation for Network Scanning (SCANS) phase and the Worm Correlation phase. The SCANS phase is used to detect the presence of the network scanning behavior of a network worm, while the worm correlation phase is used to detect the Destination Source Correlation (DSC) behavior of the network worm. The proposed approach has been tested with a simulated dataset obtained from the GTNetS simulator. The numerical results showed that the proposed approach is efficient and outperforms the well-known DSC approach in terms of detecting the presence of TCP network worm.

Original language	English
Pages (from-to)	525-538
Number of pages	14
Journal	Neural Computing and Applications
Volume	28
DOIs	https://doi.org/10.1007/s00521-016-2358-9
State	Published - 1 Dec 2017
Externally published	Yes

Keywords

Destination Source Correlation (DSC)
Intrusion Detection System (IDS)
Malicious codes
Network scanning
TCP worm

Access to Document

10.1007/s00521-016-2358-9

Cite this

@article{fedc264b19b44891a45f455261fad816,

title = "NADTW: new approach for detecting TCP worm",

abstract = "A computer worm is a self-replicating malicious code that does not alter files but resides in active memory where it duplicates itself. Worms use parts of the operating system that are automatic and usually invisible to the user. Worms commonly exhibit abnormal behaviors, which become noticeable only when their uncontrolled replication consumes system resources and consequently decelerates or halts other tasks completely. This paper proposes an effective approach for detecting the presence of TCP network worms. This approach consists of two phases: Statistical Cross-relation for Network Scanning (SCANS) phase and the Worm Correlation phase. The SCANS phase is used to detect the presence of the network scanning behavior of a network worm, while the worm correlation phase is used to detect the Destination Source Correlation (DSC) behavior of the network worm. The proposed approach has been tested with a simulated dataset obtained from the GTNetS simulator. The numerical results showed that the proposed approach is efficient and outperforms the well-known DSC approach in terms of detecting the presence of TCP network worm.",

keywords = "Destination Source Correlation (DSC), Intrusion Detection System (IDS), Malicious codes, Network scanning, TCP worm",

author = "Mohammed Anbar and Rosni Abdullah and Alhamza Munther and Al-Betar, \{Mohammed Azmi\} and Saad, \{Redhwan M.A.\}",

note = "Publisher Copyright: {\textcopyright} 2016, The Natural Computing Applications Forum.",

year = "2017",

month = dec,

day = "1",

doi = "10.1007/s00521-016-2358-9",

language = "English",

volume = "28",

pages = "525--538",

journal = "Neural Computing and Applications",

issn = "0941-0643",

publisher = "Springer London",

}

TY - JOUR

T1 - NADTW

T2 - new approach for detecting TCP worm

AU - Anbar, Mohammed

AU - Abdullah, Rosni

AU - Munther, Alhamza

AU - Al-Betar, Mohammed Azmi

AU - Saad, Redhwan M.A.

PY - 2017/12/1

Y1 - 2017/12/1

N2 - A computer worm is a self-replicating malicious code that does not alter files but resides in active memory where it duplicates itself. Worms use parts of the operating system that are automatic and usually invisible to the user. Worms commonly exhibit abnormal behaviors, which become noticeable only when their uncontrolled replication consumes system resources and consequently decelerates or halts other tasks completely. This paper proposes an effective approach for detecting the presence of TCP network worms. This approach consists of two phases: Statistical Cross-relation for Network Scanning (SCANS) phase and the Worm Correlation phase. The SCANS phase is used to detect the presence of the network scanning behavior of a network worm, while the worm correlation phase is used to detect the Destination Source Correlation (DSC) behavior of the network worm. The proposed approach has been tested with a simulated dataset obtained from the GTNetS simulator. The numerical results showed that the proposed approach is efficient and outperforms the well-known DSC approach in terms of detecting the presence of TCP network worm.

AB - A computer worm is a self-replicating malicious code that does not alter files but resides in active memory where it duplicates itself. Worms use parts of the operating system that are automatic and usually invisible to the user. Worms commonly exhibit abnormal behaviors, which become noticeable only when their uncontrolled replication consumes system resources and consequently decelerates or halts other tasks completely. This paper proposes an effective approach for detecting the presence of TCP network worms. This approach consists of two phases: Statistical Cross-relation for Network Scanning (SCANS) phase and the Worm Correlation phase. The SCANS phase is used to detect the presence of the network scanning behavior of a network worm, while the worm correlation phase is used to detect the Destination Source Correlation (DSC) behavior of the network worm. The proposed approach has been tested with a simulated dataset obtained from the GTNetS simulator. The numerical results showed that the proposed approach is efficient and outperforms the well-known DSC approach in terms of detecting the presence of TCP network worm.

KW - Destination Source Correlation (DSC)

KW - Intrusion Detection System (IDS)

KW - Malicious codes

KW - Network scanning

KW - TCP worm

UR - https://www.scopus.com/pages/publications/84973154632

U2 - 10.1007/s00521-016-2358-9

DO - 10.1007/s00521-016-2358-9

M3 - Article

AN - SCOPUS:84973154632

SN - 0941-0643

VL - 28

SP - 525

EP - 538

JO - Neural Computing and Applications

JF - Neural Computing and Applications

ER -

NADTW: new approach for detecting TCP worm

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this