Toward Network Worm Victims Identification Based on Cascading Motif Discovery

Abstract

Network worms spread widely over the global network within a short time, which are increasingly becoming one of the most potential threats to network security. However, the performance of traditional packet-oriented signature-based methods is questionable in the face of unknown worms, while anomaly-based approaches often exhibit high false positive rates. It is a common scenario that the life cycle of network worms consists of the same four stages, in which the target discovery phase and the transferring phase have specific interactive patterns. To this end, we propose Network Flow Connectivity Graph (NFCG) for identifying network worm victims. We model the flow-level interactions as graph and then identify sets of frequently occurring motifs related to network worms through Cascading Motif Discovery algorithm. In particular, a cascading motif is jointly extracted from graph target discovery phase and transferring phase. If a cascading motif exists in a connected behavior graph of one host, the host would be identified as a suspicious worm victim; the excess amount of suspicious network worm victims is used to reveal the outbreak of network worms. The simulated experiments show that our proposed method is effective and efficient in network worm victims’ identification and helpful for improving network security.