Home > Published Issues > 2013 > Volume 8, No. 11, November 2013 >

Worm Detection without Knowledge Base in Industrial Networks

Huayang Cao1, Jinjing Zhao2,3, Peidong Zhu1 , Xicheng Lu1, and Chonglun Zhao1
1.National University of Defense Technology, Changsha, 410073, China
2.Beijing Institute of System Engineering, Beijing, 100029, China
3.National Key Laboratory of Science and Technology on Information System Security, Beijing, 100029, China

Abstract—A sophisticated worm, namely Stuxnet, attacked Iran nuclear facilities in 2010. This incident, together with newly found similar worms, e.g., Duqu, Flame, Gauss, highlight the cyber threat in industrial networks. These worms are highly-targeted and are carefully tested before being released. They are difficult to be detected by current security products, as there is no knowledge about them when they are spreading. We introduce a worm detection mechanism in this paper, which doesn’t need any knowledge of known worms. This mechanism maintains a worm propagation model and traces the spread of suspicious files and triggers alerts based on the model. The experiment of detecting Stuxnet shows its efficiency. We also give a performance analysis at the end of this paper.

Index Terms—industrial network, Stuxnet, worm detection, colored petri net.

Cite: Huayang Cao, Jinjing Zhao, Peidong Zhu, Xicheng Lu, and Chonglun Zhao, "Worm Detection without Knowledge Base in Industrial Networks," Journal of Communications, vol. 8, no. 11, pp. 716-723, 2013. doi: 10.12720/jcm.8.11.716-723