Design of a system for real-time worm detection

Abstract

Recent well publicized attacks have made it clear that worms constitute a threat to Internet security. Systems that secure networks against malicious code are expected to be a part of the critical Internet infrastructure in the future. Intrusion detection and prevention systems (IDPS) currently have limited use because they can filter only known worms. We present the design and implementation of a system that automatically detects new worms in real-time by monitoring traffic on a network. The system uses field programmable gate arrays (FPGAs) to scan packets for patterns of similar content. Given that a new worm hits the network and the rate of infection is high, the system is automatically able to detect an outbreak. Frequently occurring strings in packet payloads are instantly reported as likely worm signatures.