MULTI-AGENT SYSTEM FOR WORM DETECTION AND CONTAINMENT IN METROPOLITAN AREA NETWORKS

Active worms can cause widespread damages at so high a speed that effectively precludes human-directed reaction, and patches for the worms are always available after the damages have been caused, which has elevated them self to a first-class security threat to Metropolitan Area Networks (MAN). Multi-agent system for Worm Detection and Containment in MAN (MWDCM) is presented to provide a first-class automatic reaction mechanism that automatically applies containment strategies to block the propagation of the worms and to protect MAN against worm scan that wastes a lot of network bandwidth and crashes the routers. Its user agent is used to detect the known worms. Worm detection agent and worm detection correlation agent use two-stage based decision method to detect unknown worms. They adaptively study the accessing in the whole network and dynamically change the working parameters to detect the unknown worms. MWDCM confines worm infection within a macro-cell or a micro-cell of the metropolitan area networks, the rest of the accesses and hosts continue functioning without disruption. MWDCM integrates Worm Detection System (WDS) and network management system. Reaction measures can be taken by using Simple Network Management Protocol (SNMP) interface to control broadband access server as soon as the WDS detect the active worm. MWDCM is very effective in blocking random scanning worms. Simulation results indicate that high worm infection rate of epidemics can be avoided to a degree by MWDCM blocking the propagation of the worms.