Reviewer: Chakchai So-In
Date: 4-5-2007
How would you rate this paper, relative to others we have read? top 50%, but not top 25%
How would you rate your knowledge of the topic of this paper? novice
What problem or issue does the paper address? Why is it important?
To promptly detect zero-day worm (low-propagation rates) on real-time high speed data network.
What are the main contributions of the paper and why are they important?
Perhaps, applied some existing techniques together to create a effective worm detection system such with partial flow information detection (traffic distribution), the flow mask can be created to analysis the online content and with Longest Common Subsequence algorithm, the worm content signature can be extracted in O(nm). The authors make use of flow distribution with flow traffic features such as Source/Destination IP and Port and flow size and then track changes in the shape of the featured histogram. They introduced Entropy concept to measure how random a data-set is.
How significant are these contributions relative to previous work?
I strongly believe that mainly both techniques have been already used in some ways but this system applied those techniques and made it be used in practice.
Give detailed comments justifying your view of the paper.
In the introduction part, the authors concern most on worms with large-propagation rates such as Nimda and Slammer but this detection system focuses on the worms with low-propagation rates. I wonder if with a few modifications, this can apply for large-propagation rates on very high speed link which I believe it will be much useful. If I understand correctly, perhaps with O(nm), the flow mask can be extracted to capture flow information on time (>1Gbps link). With limitation on flow distribution, perhaps future worms can be written to avoid all these detections features. For the implementation result, the authors injected known worm traffic pattern in to the network and the known traffic. I don't know if some worms which traffic patter is unknown can be detected effectively. Also if possible, it's better to compare this system with some other existing worm detection system. By looking at all those three graphs, it's quite difficult to interpret the result visually.