The disclosures made herein relate to a method and apparatus for detecting propagation of malware, for example, via a shared access point of a communication network. While the invention is particularly directed to the art of wireless local area networks (LANs), and will be thus described with specific reference thereto, it will be appreciated that the invention may have usefulness in other fields and applications. For example, the invention may be used in various wireless or wired communication networks, particularly where an access point is shared by multiple users.
By way of background, malicious software (i.e., malware) is software that typically gets installed on a computer without the knowledge of the user. Malware may operate to damage or impair the computer or misappropriate personal or confidential information. Examples of malware include adware, browser hijackers, keyloggers, ransonware, spyware, trojans, viruses, and worms. A worm has the ability to propagate and infect other computers. Worms may be used to spread viruses and other types of malware.
Worms, especially the fast spreading “flash worms”, have wreaked havoc on the internet. Worms like Code Red and Nimda, for example, caused major congestions in the Internet and shutdown networks of many enterprises. New worms, such as Storm, use sophisticated scanning methods to avoid being detected. These worms are referred to as “stealthy worms.” Stealthy worms generally perform scanning for new victims at a much slower rate than flash (i.e., fast spreading) worms. Stealthy or slow scanning worms are much harder to detect because the detection thresholds for flash or fast scanning worms are rarely hit. As shared access points for communication networks, such as wireless LANs, become more and more prevalent, methods for detection of worms, particularly slow scanning worms, need to be improved and expanded for use in more types of networks.