Skip to Main Content
In this paper, we present an integrated system for the detection and mitigation of zero-day scanning and mass mailing worms. The detection engine of our system utilizes the domain name system (DNS) anomalies of the worm traffic; an idea that has been noted by several security researchers. Once a worm is detected, the firewall rules are automatically updated in order to isolate the infected host. An automatic alert is also sent to the user of the infected host. The system can be configured such that the user response to this alert is used to undo the firewall updates and hence helps reduce the interruption of service resulting from false alarms. The developed system has been tested with real worms in a controlled network environment. The obtained experimental results confirm the soundness and effectiveness of the developed system.