A NOVEL METHOD FOR NETWORK WORM DETECTION BASED ON WAVELET PACKET ANALYSIS / 药物分析学报

Objective To detect unknown network worm at its early propagation stage. Methods On the basis of characteristics of network worm attack, the concept of failed connection flow (FCT) was defined. Based on wavelet packet analysis of FCT time series, this method computed the energy associated with each wavelet packet of FCT time series, transformed the FCT time series into a series of energy distribution vector on frequency domain, then a trained K-nearest neighbor (KNN) classifier was applied to identify the worm. Results The experiment showed that the method could identify network worm when the worm started to scan. Compared to theoretic value, the identification error ratio was 5.69%. Conclusion The method can detect unknown network worm at its early propagation stage effectively.

A novel method for network worm detection based on wavelet packet analysis / 西安交通大学学报·英文版

Objective: To detect unknown network worm at its early propagation stage. Methods: On the basis of characteristics of network worm attack, the concept of failed connection flow (FCT) was defined. Based on wavelet packet analysis of FCT time series, this method computed the energy associated with each wavelet packet of FCT time series, transformed the FCT time series into a series of energy distribution vector on frequency domain, then a trained K-nearest neighbor (KNN) classifier was applied to identify the worm. Results: The experiment showed that the method could identify network worm when the worm started to scan. Compared to theoretic value, the identification error ratio was 5.69%. Conclusion: The method can detect unknown network worm at its early propagation stage effectively.