Abstract—A sophisticated worm, namely Stuxnet, attacked Iran nuclear facilities in 2010. This incident, together with newly found similar worms, e.g., Duqu, Flame, Gauss, highlight the cyber threat in industrial networks. These worms are highly-targeted and are carefully tested before being released. They are difficult to be detected by current security products, as there is no knowledge about them when they are spreading. We introduce a worm detection mechanism in this paper, which doesn’t need any knowledge of known worms. This mechanism maintains a worm propagation model and traces the spread of suspicious files and triggers alerts based on the model. The experiment of detecting Stuxnet shows its efficiency. We also give a performance analysis at the end of this paper.
Index Terms—industrial network, Stuxnet, worm detection, colored petri net.
Cite: Huayang Cao, Jinjing Zhao, Peidong Zhu, Xicheng Lu, and Chonglun Zhao, "Worm Detection without Knowledge Base in Industrial Networks," Journal of Communications, vol. 8, no. 11, pp. 716-723, 2013. doi: 10.12720/jcm.8.11.716-723
Copyright © 2013-2023 Journal of Communications, All Rights Reserved