7. Conclusion
We have demonstrated that worm activity can be detected and analyzed by applying a trellis plot of parallel coordinate visualizations on the log of a small web server. The different requests made by worms can be correlated to the particular type of worm making the requests. Furthermore, the clusters formed by worm requests are markedly different from the clusters formed by benign requests for the data set in this paper. Other patterns of malicious requests were also found, one which was worm like and distinct from benign access requests and one that was not, and as a result was overlooked when the first version of this paper was published. The visualization was successful even though the number of data points visualized was larger than what is generally considered the limit for such methods.
Four different worm (or worm like) activities were found. Two of these were found to be indicative of the Nimda worm, one of the Code red worm, and the last two of a then largely unknown malicious activity, later identified as emanating from the manual application of the tool sfind.exe.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Rights and permissions
Copyright information
© 2006 Springer Science+Business Media, Inc.
About this chapter
Cite this chapter
(2006). Visualization for Intrusion Detection—Hooking the Worm. In: Understanding Intrusion Detection Through Visualization. Advances in Information Security, vol 24. Springer, Boston, MA. https://doi.org/10.1007/0-387-27636-X_7
Download citation
DOI: https://doi.org/10.1007/0-387-27636-X_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-27634-2
Online ISBN: 978-0-387-27636-6
eBook Packages: Computer ScienceComputer Science (R0)