Worm Detection without Knowledge Base in Industrial Networks

A sophisticated worm, namely Stuxnet, attacked Iran nuclear facilities in 2010. This incident, together with newly found similar worms, e.g., Duqu, Flame, Gauss, highlight the cyber threat in industrial networks. These worms are highlytargeted and are carefully tested before being released. They are difficult to be detected by current security products, as there is no knowledge about them when they are spreading. We introduce a worm detection mechanism in this paper, which doesn’t need any knowledge of known worms. This mechanism maintains a worm propagation model and traces the spread of suspicious files and triggers alerts based on the model. The experiment of detecting Stuxnet shows its efficiency. We also give a performance analysis at the end of this paper. 