A worm is a malicious self-replicating program that inserts itself into other systems in the same or slightly modified form to consume resources across a network. Once a host computer has been infected with a worm, it may be a matter of minutes before all of the vulnerable computers on the network are compromised. Some experts have even predicted this infection saturation time to reach mere seconds. Hence the loss in productivity and the resources required for worm cleanup can be astronomical if instant action is not taken after an infection. As network worms are becoming an even greater nuisance and a danger to the functionality and stability of the Internet, there exists a growing need to detect the presence of a worm in a network with speed and accuracy.
Current worm detection technologies center around detecting the actions of a single worm or a group of worms. For example, an exploit or vulnerability signature compiled from a list of worms known to exist can be used in anti-virus-like-software on the system level and in Intrusion Prevention Systems (IPS) on the network level to discover possible worm infections. Other techniques attempt to recognize worms by observing macro network behavior such as network saturation or anomalous device communications, e.g., by detecting a spike in traffic generally or of a particular type.
Though each of these techniques can be effective, they have significant drawbacks. The exploit and vulnerability signature approach requires some triggering foreknowledge that makes it hard to detect previously undiscovered worms that might have different exploit signatures or take advantage of new weaknesses not characterized by the vulnerability signatures. In addition, the growth in network bandwidth and traffic load in recent years has and continues to outstrip the processing capacity of a typical anti-virus and/or IPS systems and processes, with the result that typically not all network traffic can be examined as fully as may be required to reliably detected and/or block a worm, even in cases where a signature or other identifying data are known. While macro behavior observations are independent of specific worm signatures, such techniques typically do not provide the sort of specific, actionable, and timely information required to take quick real-time responsive action (e.g., to quarantine an infected system, network, or sub-network or timely isolate a critical system, network, or sub-network from potential sources of infection) since the observations only trigger alerts after a possible worm becomes a large enough problem to cause an anomaly in network behavior that is significant enough to be observed and trigger an alert. Unfortunately even after observing the anomaly, the user cannot know with certainty whether a particular system and/or network or portion thereof is or may be infected since a benign new program or system on the network could have easily altered network traffic patterns and even if a worm were present specific information about the worm such as may be needed to protect effectively against it typically is not available, at least initially. Additionally for both the signature and macro behavior approaches, the data analysis required for detection could be very computationally expensive. Therefore, it would be desirable to have a better way to identify the existence of a worm in a computer network.