SWorD: A Simple Worm Detection Scheme

Detection of fast-spreading Internet worms is a problem for which no adequate defenses exist. In this paper we present a Simple Worm Detection scheme (SWorD). SWorD is designed as a statistical detection method for detecting and automatically filtering fast-spreading TCP-based worms. SWorD is a simple two-tier counting algorithm designed to be deployed on the network edge. The first-tier is a lightweight traffic filter while the second-tier is more selective and rarely invoked. We present results using network traces from both a small and large network to demonstrate SWorD’s performance. Our results show that SWorD accurately detects over 75 % of all infected hosts within six seconds, making it an attractive solution for the worm detection problem