Detecting Internet worms at early stage

Managing the security of enterprise networks has emerged to be a critical problem in the era of Internet economy. Arising as a leading threat, worms repetitively caused enormous damage to the Internet community during the past years. A new security service that monitors the ongoing worm activities on the Internet will greatly contribute to the security management of modern enterprise networks. This paper proposes an Internet-worm early warning system that automatically detects concerted scan activities and derives possible signatures of worm attacks. Its goal is to issue warning at the early stage of worm propagation and to provide necessary information for security analysts to control the damage. It reduces false positives by filtering out false scan sources. The system is locally deployable or can be codeployed amongst a group of enterprise networks. We provide both analytical and simulation studies on the responsiveness of this early warning system.