Academic Journals Database
Disseminating quality controlled scientific knowledge

Setting a Worm Attack Warning by using Machine Learning to Classify NetFlow Data

Author(s): Shubair A. Abdulla | Sureswara Ramadass | Altyeb Altaher | Amer Al Nassiri

Journal: International Journal of Computer Applications
ISSN 0975-8887

Volume: 36;
Issue: 2;
Start page: 49;
Date: 2011;
Original page

Keywords: Intrusion detection systems | NetFlow | Support vector machines | Scanning worms | Email worms

We present a worm warning system that leverages the reliability of IPFlow and the effectiveness of machine learning techniques. Our system aims at setting an alarm in case a node is behaving maliciously. Typically, a host infected by a scanning or an email worm initiates a significant amount of traffic that does not rely on DNS to translate names into numeric IP addresses. Based on this fact, we capture and classify NetFlow records to extract features that uniquely identify worm's flow. The features are encapsulated into a set of feature patterns to train the support vector machines 'SVM'. A feature pattern includes: no of DNS requests, no of DNS responses, no of DNS normals, and no of DNS anomalies, for each PC on the network within a certain period of time. The SVM training is performed by using five of the most dangerous scanning worms: CodeRed, Slammer, Sasser, Witty, and Doomjuice as well as five email worms: Sobig, NetSky, MyDoom, Storm and Conficker. Eleven worms have been used during the test: Welchia, Dabber, BlueCode, Myfip, Nimda, Sober, Bagle, Francette, Sasser, MyDoom, and Conficker. The results of experiments manifest the soundness of the worm warning system.

Tango Rapperswil
Tango Rapperswil

     Save time & money - Smart Internet Solutions