Dave Whyte
Computer worms are arguably the most serious security threat facing the Internet. In this talk, we will discuss a new technique for the rapid detection of worm propagation from an enterprise network that is both efficient and accurate enough to enable automatic containment at the network egress points. Implemented in software, it relies on the correlation of Domain Name System (DNS) queries with outgoing connections from an enterprise network.
Significant improvement over existing scanning worm detection techniques includes: (1) the possibility to detect worm propagation after only a single infection attempt; (2) the capacity to detect zero-day worms; and (3) a low false positive rate. Furthermore, we believe that this technique can be applied with the same precision to identify other forms of malicious behavior within an enterprise network such as: mass-mailing worms, network reconnaissance activity, and covert communications.