Host-Based Detection of P2P Active Worm Through Extensive Packet Matching

Abstract

Active worms continue to pose major threats to the security of today’s Internet. This is due to the ability of active worms to automatically propagate themselves and compromise hosts in the Internet. Due to the recent surge of peer-to-peer (P2P) network with large numbers of users and rich connectivity, active P2P worm has a non-scanning feature and can use of neighbor routing table of P2P network as hit-list to launch an attack. It avoids blind scanning which is the shortcoming of traditional Internet worms. Also, it generates a low failure rate of the network connection and spreads faster. To improve the security of P2P network, this paper undertake this issue by analyzing active worm propagation on P2P network and proposed an effective detection strategy within P2P network based on the rules “packets with similar payload (data) are sent to many hosts in a very short time using the same protocol and destination port is attempting to carry out worm propagation”. The implementation shows that a P2P active worm can detect anomaly with less false positive alarm message as possible.Keywords: P2P network; Active worm attacks, Network security.