ARP-based Detection of Scanning Worms Within an Enterprise Network

Rapidly propagating worms are arguably the greatest security threat currently facing the Internet. To date, worm writers have been successful in penetrating most security countermeasures. Signature-based detection schemes often fail to detect zero-day worms, and their ability to rapidly react to new threats is limited as they typically require some form of human involvement to formulate updated attack signatures. We propose an anomaly-based detection technique designed to protect internal networks from scanning worm infections. This is the first publication in the open literature (to our knowledge) proposing and providing a detailed description of a method to detect propagation of scanning worms within individual network cells. We show that this technique is both accurate and rapid enough to enable automatic containment and suppression of worm propagation within a network cell. Implemented in software, our detection approach relies on an aggregate anomaly score, derived from the correlation of Address Resolution Protocol (ARP) activity from individual network attached devices. Our preliminary analysis and prototype indicate that this technique can be used to rapidly detect zero-day worms within a very small number of scans, e.g. three scans with a false positive rate of five over a two week period in our test environment. The necessary individual ARP activity system profiles are automatically generated during a training period and thus the software can be rapidly deployed with minimal tuning and administration.