Combined Behavior- and Signature-Based Internet Worm Detection System

The number of polymorphic and new worms on the Internet is increasing rapidly. Worm infections cause traffic overloads in office networks and congestion of Internet links by replicating itself and hurting the affected companies by causing data loss and damage. Traditional signature-based worm detection systems fail to detect polymorphic and new, previously unseen worms. In this paper, based on an analysis of network traffic behavior, we develop the Combined Worm Detection System (CWDS) by combining signature-based worm detection and behavior-based worm detection. The CWDS uses the signature-based worm detection to detect the known worms, while it uses the behavior-based worm detection to detect polymorphic and new worms. An experimental study on real time network traffic and standard worm data sets is performed to test the proposed CWDS system. The experimental results demonstrate that the proposed CWDS system can detect both known and unknown worms with high detection rate and accuracy.