Finding the cause for congested virtual private network (VPN) links that connect an office network over the Internet to remote company sites can be a hassle. Scan traffic of worm infected hosts is one important possible cause. We developed a scan detection tool, which continuously monitors network traffic on VPN gateway(s) and that reliably detects and reports worm infected hosts by tracking anomalous TCP, UDP and ICMP traffic. Our tool is not sensitive to most P2P software and was successfully tested on real production traffic as well as with traces of captured real and simulated worm traffic. Our various tests demonstrated a low false positive rate and a high detection rate. Our open source tool is an extension to the free intrusion detection system Bro. It was developed jointly by ETH Zurich and Open Systems, a company offering managed security services, one of which is based on the presented worm scan detection tool. © Springer-Verlag Berlin Heidelberg 2006.
CITATION STYLE
Wagner, A., Dübendorfer, T., Hiestand, R., Göldi, C., & Plattner, B. (2006). A fast worm scan detection tool for VPN congestion avoidance. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4064 LNCS, pp. 181–194). Springer Verlag. https://doi.org/10.1007/11790754_11
Mendeley helps you to discover research relevant for your work.