Call for Paper - January 2023 Edition
IJCA solicits original research papers for the January 2023 Edition. Last date of manuscript submission is December 20, 2022. Read More

Setting a Worm Attack Warning by using Machine Learning to Classify NetFlow Data

International Journal of Computer Applications
© 2011 by IJCA Journal
Volume 36 - Number 2
Year of Publication: 2011
Shubair A. Abdulla
Sureswara Ramadass
Altyeb Altaher
Amer Al Nassiri

Shubair A Abdulla, Sureswara Ramadass, Altyeb Altaher and Amer Al Nassiri. Article: Setting a Worm Attack Warning by using Machine Learning to Classify NetFlow Data. International Journal of Computer Applications 36(2):49-56, December 2011. Full text available. BibTeX

	author = {Shubair A. Abdulla and Sureswara Ramadass and Altyeb Altaher and Amer Al Nassiri},
	title = {Article: Setting a Worm Attack Warning by using Machine Learning to Classify NetFlow Data},
	journal = {International Journal of Computer Applications},
	year = {2011},
	volume = {36},
	number = {2},
	pages = {49-56},
	month = {December},
	note = {Full text available}


We present a worm warning system that leverages the reliability of IP-Flow and the effectiveness of machine learning techniques. Our system aims at setting an alarm in case a node is behaving maliciously. Typically, a host infected by a scanning or an email worm initiates a significant amount of traffic that does not rely on DNS to translate names into numeric IP addresses. Based on this fact, we capture and classify NetFlow records to extract features that uniquely identify worm's flow. The features are encapsulated into a set of feature patterns to train the support vector machines (SVM). A feature pattern includes: no of DNS requests, no of DNS responses, no of DNS normals, and no of DNS anomalies, for each PC on the network within a certain period of time. The SVM training is performed by using five of the most dangerous scanning worms: CodeRed, Slammer, Sasser, Witty, and Doomjuice as well as five email worms: Sobig, NetSky, MyDoom, Storm and Conficker. Eleven worms have been used during the test: Welchia, Dabber, BlueCode, Myfip, Nimda, Sober, Bagle, Francette, Sasser, MyDoom, and Conficker. The results of experiments manifest the soundness of the worm warning system.


  • Anna Sperotto, Gregor Schaffrath, Ramin Sadre, Cristian Morariu, Aiko Pras, and Burkhard Stiller, "An Overview of IP Flow-Based Intrusion Detection," Communications Surveys & Tutorials, IEEE, Vol. 12, No. 3. (2010).
  • M. Roesch, "Snort, intrusion detection system," Jul. 2008. [Online]. Available:
  • B. Claise, "Cisco Systems NetFlow Services Export Version 9," RFC 3954 (Informational), Jul. 2008. [Online]. Available: http: //
  • P. Phaal, S. Panchen, and N. McKee, " InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks," RFC 3176 (Informational), Sep. 2001. [Online]. Available:
  • A. Wagner and B. Plattner, "Entropy based worm and anomaly detection in fast IP networks," in Proc. of 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE '05), June 2005, pp. 172–177
  • Q. Zhao, J. Xu, and A. Kumar, "Detection of super sources and destinations in high-speed networks: Algorithms, analysis and evaluation," IEEE Journal on Selected Areas in Communications, vol. 24, no. 10, pp. 1840–1852, Oct. 2006
  • Y. Gao, Z. Li, and Y. Chen, "A dos resilient flow-level intrusion detection approach for high-speed networks," in Proc. of the 26th IEEE International Conference on Distributed Computing Systems (ICDCS '06), 2006, p. 39
  • M. Collins and M. Reiter, "Hit-list worm detection and bot identification in large networks using protocol graphs," in Proc. of 10th International Symposium on Recent Advances in Intrusion Detection (RAID'07), 2007, pp. 276–295
  • L Bin, L Chuang, Q Jian, H Jianping, P Ungsunan, "A NetFlow based flow analysis and monitoring system in enterprise networks," Computer Networks (2008), Volume: 52, Issue: 5, Pages: 1074-1092
  • Ismahani Ismail, Muhammad Nadzir Marsono, Sulaiman Mohd Nor, "Detecting Worms Using Data Mining Techniques: Learning in the Presence of Class Noise," sitis, pp.187-194, 2010 Sixth International Conference on Signal-Image Technology and Internet Based Systems, 2010
  • E. Z. M. Schultz, E. Eskin and S. Stolfo, “Data Mining Methods for Detection of New Malicious Executables,” in Proceedings of the IEEE Symposium on Security and Privacy, Los Alamitos,CA, 2001, pp. 38–49.
  • J. Kolter and M. Maloof, “Learning to Detect Malicious Executables in the Wild,” in Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, Seattle, WA, USA, August 2004, pp. 470–478.
  • W. Wang and D.-S. Luo, “A New Attempt to Detect Polymorphic Worms Based on Semantic Signature and Data-Mining,” in First International Conference of IEEE Communications and Networking (ChinaCom ’06), Beijing, China, October 2006, pp. 1–3.
  • M. Siddiqui, M. C. WANG, and J. Lee, “Detecting Internet Worms Using Data Mining Techniques,” Journal of Systemics, Cybernetics and Informatics, vol. 6, no. 6, pp. 48–53, 2009
  • David Whyte, Evangelos Kranakis, Paul C. van Oorschot, " DNS-based Detection of Scanning Worms in an Enterprise Network," In Proceedings of The 12th Annual Network and Distributed System Security Symposium (February 2005)
  • H. Binsalleeh and A. Youssef. "An implementation for a worm detection and mitigation system," Proc. of the 24th Biennial Symposium on Communications, pages 54–57, 2008.
  • Y. Musashi, R. Matsuba, and K. Sugitani. "Indirect detection of mass mailing worms-infected pc terminals for learners," In 3rd International Conference on Emerging Telecommunications Technologies and Applications, pages 233{237, 2004
  • Y. Musashi and K. Rannenberg. "Detection of mass mailing worm-infected pc terminals by observing dns query access," IPSJ SIG Notes, pages 39-44, 2004
  • K. Ishibashi, T. Toyono, K. Toyama, M. Ishino, H. Ohshima, and I. Mizukoshi, “Detecting mass-mailing worm infected hosts by mining dns traffic data,” in MineNet ’05: Proc. of the 2005 ACM SIGCOMM Workshop on Mining Network Data. New York, NY, USA: ACM, 2005, pp. 159–164.
  • P. Li, M. Salour, X. Su, " A survey of internet worm detection and containment, " Communications Surveys & Tutorials, IEEE, Vol. 10, No. 1. (2008)
  • Tang, Yong; Luo, Jiaqing; Xiao, Bin; Wei, Guiyi, " Concept, Characteristics and Defending Mechanism of Worms, " IEICE Transactions on Information and Systems, Volume E92.D, Issue 5, pp. 799-809 (2009).
  • Botnet Detection. Countering the Largest Security Threat. Spinger, 2008, vol. 36
  • Wei, C., Sprague, A. and Warner, G. "Detection of Network Blocks Used by the Storm Worm Botnet,". In Proc. of 46th ACM Southeast Conference (2008)
  • Phillip Porras, Hassen Saidi, and Vinod Yegneswaran, "An Analysis of Conficker's Logic and Rendezvous Points," March 2009. [Online]. Available:
  • Chih-Wei Hsu and Chih-Jen Lin, "BSVM," August, 2006. [Online]. Available:
  • C. Burges, “A Tutorial on Support Vector Machines for Pattern Recognition,” Data Mining and Knowledge Discovery, vol. 2, no. 2, pp. 121–167, 1998.
  • VX Heavens Virus Collection, VX Heavens website. April 2011. [Online]. Available:
  • O. Sharma, M. Girolami, and J. Sventek, “Detecting worm variants using machine learning,” in CoNEXT ’07: Proceedings of the 2007 ACM CoNEXT conference, (New York, NY, USA), pp. 1–12, ACM, 2007.
  • Yuanyuan Zeng, Xin Hu, Haixiong Wang, Kang G. Shin, and Abhijit Bose. 2008. "Containment of network worms via per-process rate-limiting". In Proceedings of the 4th international conference on Security and privacy in communication netowrks (SecureComm '08). ACM, New York, NY, USA
  • Global hackers website. May 2011. [Online]. Available: