WORM DETECTION BY TRENDING FAN OUT

摘要

The invention detects stealth worm propagation by comparing the repeat elements in sets of destinations of a source in multiple time windows to a fitted distribution of same, stored as a benchmark plot. Measurements are performed over N time windows, wherein a representation of the set of destinations to which a respective source has sent packets is determined for each source, in each time window. The counting is performed using a hash table. Once N such sets of destinations have been obtained, the number X k of destinations that are common to N, N-1, N-2,..., 2, 7 windows is determined. Thus X kis the number of destinations that a particular source sent packets to in k time windows. X k is then compared to the corresponding value on the plot; anomalies indicate an attack from the respective source.