Honours Thesis
Early Bird: Catching worms while sysadmins sleep
Andrew Hill, B.Sc., B.Sc. (Math. & Comp. Sci.)
School of Computer Science
The University of Adelaide
South Australia
Supervisors: Mr. Kevin Maciunas and Dr. Cheryl Pope
November 2, 2003
Abstract
This honours thesis demonstrates the need for an automated, anomaly-based Internet worm detection system that is effective at identifying Internet worm packets with a low false-positive rate.
The theory of general Discrete Symbol Hidden Markov Models and the theory of the equivalent on-line models is discussed, and the general structure of Hidden Markov Models is related to the problem of identifying Internet worm packets in a sequence of normal network packets.
The effectiveness of various on-line Hidden Markov Model configurations in detecting Sapphire Internet worm packets in a sequence of normal UDP packets is evaluated, demonstrating that Hidden Markov Models can be successfully used as the basis of an automated, anomaly-based Internet worm detection system.
