Hybrid Intrusion Detection System for Worm Attacks Based on Their Network Behavior

  • Hassan Hadi Latheeth AL-MaksousyEmail author
  • Michele C. Weigle
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 259)


Computer worms are characterized by rapid propagation and intrusive network disruption. In this work, we analyze the network behavior of five Internet worms: Sasser, Slammer, Eternal Rocks, WannaCry, and Petya. Through this analysis, we use a deep neural network to successfully classify network traces of these worms along with normal traffic. Our hybrid approach includes a visualization that allows for further analysis and tracing of the network behavior of detected worms.


Deep learning Worm traffic Internet worms Sasser Slammer NotPetya WannaCry EternalRocks Visualization 


  1. 1.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Secur. Priv. 1(4), 33–39 (2003)CrossRefGoogle Scholar
  2. 2.
    Islam, A., Oppenheim, N., Thomas, W.: EternalBlue SMB protocol exploit (2017).
  3. 3.
    Mishra, B.K., Jha, N.: SEIQRS model for the transmission of malicious objects in computer network. Appl. Math. Model. 34(3), 710–715 (2010)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Mishra, B., Pandey, S.: Fuzzy epidemic model for the transmission of worms in computer network. Nonlinear Anal. R. World Appl. 11(5), 4335–4341 (2010)CrossRefGoogle Scholar
  5. 5.
    Toutonji, O.A., Yoo, S.-M.: Stability analysis of VEISV propagation modeling for network worm attack. Appl. Math. Model. 36(6), 2751–2761 (2012)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Li, P., Salour, M., Xiao, S.: A survey of internet worm detection and containment. IEEE Commun. Surv. Tutor. 10, 20–35 (2008)CrossRefGoogle Scholar
  7. 7.
    Tang, Y., Chen, S.: Defending against internet worms: a signature-based approach. In: Proceedings of IEEE INFOCOM, vol. 2, pp. 1384–1394, March 2005Google Scholar
  8. 8.
    Kim, H.A., Karp, B.: Autograph: toward automated, distributed worm signature detection. In: Proceedings of the USENIX Security Symposium (2004)Google Scholar
  9. 9.
    Al-Hammadi, Y., Leckie, C.: Anomaly detection for internet worms. In: Proceedings of the 9th IFIP/IEEE International Symposium on Integrated Network Management, pp. 133–146, May 2005Google Scholar
  10. 10.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: Proceedings of ACM SIGCOMM, pp. 217–228 (2005)CrossRefGoogle Scholar
  11. 11.
    Chen, X., Heidemann, J.: Detecting early worm propagation through packet matching. Technical report, University of Southern California, Information Sciences Institute (2004)Google Scholar
  12. 12.
    Sarnsuwan, N., Charnsripinyo, C., Wattanapongsakorn, N.: A new approach for internet worm detection and classification. In: INC2010: 6th International Conference on Networked Computing, pp. 1–4, May 2010Google Scholar
  13. 13.
    Barhoom, T.S., Qeshta, H.A.: Adaptive worm detection model based on multi classifiers. In: Palestinian International Conference on Information and Communication Technology, pp. 57–65, April 2013Google Scholar
  14. 14.
    Rasheed, M.M., Badrawi, S., Faaeq, M.K., Faieq, A.K.: Detecting and optimizing internet worm traffic signature. In: 8th International Conference on Information Technology (ICIT), pp. 870–874, May 2017Google Scholar
  15. 15.
    Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M.: Deep learning approach for network intrusion detection in software defined networking. In: International Conference on Wireless Networks and Mobile Communications (WINCOM), pp. 258–263, October 2016Google Scholar
  16. 16.
    Axelsson, S.: Visualization for intrusion detection-hooking the worm. In: 8th European Symposium on Research in Computer Security ESORICS 2003 (2003)Google Scholar
  17. 17.
    Malaspinas, S.: Getting Sassy with Microsoft - An in depth analysis of the LSASRV.dll vulnerability. Global Information Assurance Certification Paper, pp. 1–56 (2004)Google Scholar
  18. 18.
    Abrams, T.: Microsoft LSASS buffer overflow from exploit to worm. SANS Network Security (2004)Google Scholar
  19. 19.
    Zheng, H., Lifa, W., Huabo, L., Fan, P.: Worm detection and containment in local networks. In: International Conference on Computer Science and Information Processing (CSIP), pp. 595–598 (2012)Google Scholar
  20. 20.
    Dübendorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone. In: Julisch, K., Kruegel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 103–122. Springer, Heidelberg (2005). Scholar
  21. 21.
  22. 22.
    Francois Chollet. Keras (2015).
  23. 23.
  24. 24.
  25. 25.
  26. 26.

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  • Hassan Hadi Latheeth AL-Maksousy
    • 1
    Email author
  • Michele C. Weigle
    • 1
  1. 1.Department of Computer ScienceOld Dominion UniversityNorfolkUSA

Personalised recommendations