1. Field of Invention
Embodiments of the invention relate in general to detection and extenuation of network worms. More specifically, the embodiments of the invention relate to methods and systems for enabling the detection of a worm outbreak in a network.
2. Description of the Background Art
Worms spread in a network by the replication of one infected host onto neighboring hosts. The worms generate Internet Protocol (IP) addresses in a random manner and breed/spawn their worm code onto the hosts, which are active in that randomly generated space of IP addresses. The breeding of worms is exponential in nature. For example, in an ‘n’ second timeframe, the number of hosts that are infected equals ‘n0 (1+r)n’, where ‘r’ equals the number of hosts infected by the initial host, and n0 is a constant. In conventional techniques, the outbreak of a worm in a network can be detected by the use of Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). Most current IDS detect known network attacks by comparing the traffic on the network with known attack signatures. However, due to non-availability of known signatures, discovering new worm attack outbreaks can be difficult. Normally, such signatures can only be obtained after detailed analysis and reverse engineering of the new worm. However, this process is time-consuming.
Another conventional technology, known as Anomaly Detection (AD) technology, involves modeling the normal behavior of targets such as hosts, networks, and servers over a period of time. AD systems generate the normal profile of the targets, known as the baseline. Any new behavior from these targets triggers an anomalous event. However, even when the host tries to use a new legitimate service for the first time, these events are susceptible to false positives/alarms.