Detecting Highly-Targeted New Worms in Industrial Networks

Recent sophisticated worm attacks, such as Stuxnet, Duqu, Flame, have been showing that industrial infrastructure networks have becoming attractive targets for adversaries. These highly-targeted worms are difficult to identify with current worm detection measures. A novel method for worm detection in industrial infrastructure networks is proposed in this paper. This proposal uses the fundamental feature of worms that they propagate from hosts to hosts. In industrial networks, the propagation path definitely comprises a series of hosts from multiple network zones and forms a tree structure. We use the transmission of similar packets to trace worm propagation, and introduce a training phase to differentiate worms from valid network activities. This measure is generally applicable to protect industrial infrastructure networks against worm-based intrusions, as it doesn't need a knowledge base of known worms.