BADUW: Behavioural based approach for detecting UDP worm

Abstract

A worm is a self-propagating, self-duplicating malicious code that spread without human intervention in computer networks and attacks vulnerable hosts. The severity of network worms depends on the propagation process that degrades the network performance and consume bandwidth and resource (CPU and memory). Thus, this paper presents a behavioral approach for UDP worm (worm uses UDP as transmission mechanism) detection based on scanning and Destination Source Correlation (DSC) behaviors of worm. The proposed approach consists of two sub approaches which are: 1. Statistical Cross-relation Approach for Network Scanning detection (SCANS) approach that is used to detect the presence of network scanning behavior of worm and 2. Worm correlation approach that is used to detect Destination-Source Correlation (DSC) behavior of worm. These behaviors have been chosen among other worm behaviors due to its anomaly behaviors that are clearly exhibit in the network. A salient feature of this approach is that it effective for detecting scanning DSC behaviors of worm with high accuracy. The proposed approach is evaluated with the simulated dataset obtained from Georgia Tech Network Simulator (GTNetS) simulator and confirmed that our approach is efficient in detecting UDP worm than the existing approach.