{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,4]],"date-time":"2026-05-04T13:42:01Z","timestamp":1777902121386,"version":"3.51.4"},"reference-count":30,"publisher":"SAGE Publications","issue":"2","license":[{"start":{"date-parts":[[2007,2,1]],"date-time":"2007-02-01T00:00:00Z","timestamp":1170288000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/journals.sagepub.com\/page\/policies\/text-and-data-mining-license"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["SIMULATION"],"published-print":{"date-parts":[[2007,2]]},"abstract":"<jats:p>Once a host is infected by an Internet worm, prompt action must be taken before that host does more harm to its local network and the rest of the Internet. It is therefore critical to quickly detect that a worm has infected a host. In this paper, we enhance our SWORD system to allow for the detection of infected hosts and evaluate its performance. This enhanced version of SWORD inherits the advantages of the original SWORD: it does not rely on inspecting traffic payloads to search for worm byte patterns or setting up a honeypot to lure worm traffic. Furthermore, while acting as a host-level detection system, it runs at a network's gateway and stays transparent to individual hosts. We show that our enhanced SWORD system is able to quickly and accurately detect if a host is infected by a zero-day worm. Furthermore, the detection is shown to be effective against worms of different types and speeds, including polymorphic worms<\/jats:p>","DOI":"10.1177\/0037549707080753","type":"journal-article","created":{"date-parts":[[2007,7,2]],"date-time":"2007-07-02T03:38:45Z","timestamp":1183347525000},"page":"199-212","source":"Crossref","is-referenced-by-count":4,"title":["Enhancing SWORD to Detect Zero-Day-Worm-Infected Hosts"],"prefix":"10.1177","volume":"83","author":[{"given":"Shad","family":"Stafford","sequence":"first","affiliation":[{"name":"Department of Computer Science University of Oregon Eugene OR 97403-1202, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"family":"Jun Li","sequence":"additional","affiliation":[{"name":"Department of Computer Science University of Oregon Eugene OR 97403-1202, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Toby","family":"Ehrenkranz","sequence":"additional","affiliation":[{"name":"Department of Computer Science University of Oregon Eugene OR 97403-1202, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"179","published-online":{"date-parts":[[2007,2,1]]},"reference":[{"issue":"3","key":"atypb1","first-page":"559","volume":"38","author":"Stafford, S.","year":"2006","journal-title":"Proceeding of the Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS)"},{"key":"atypb2","volume-title":"Proceedings of the USENIX Security Symposium","author":"Staniford, S."},{"key":"atypb3","volume-title":"The spread of the Sapphire\/Slammer SQL worm","author":"Moore, D.","year":"2003"},{"key":"atypb4","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1219056"},{"key":"atypb5","volume-title":"Workshop on Economics and Information Security","author":"Weaver, N."},{"key":"atypb6","volume-title":"Proceedings of the Symposium on Measurement, Modeling, and Simulation of Malware","author":"Li, J."},{"key":"atypb7","volume-title":"Proceedings of the IEEE INFOCOM","author":"Moore, D."},{"key":"atypb8","volume-title":"SWORD: Self-propagating worm observation and rapid detection","author":"Li, J.","year":"2006"},{"key":"atypb9","volume-title":"Proceedings of the Symposium on Operating System Design and Implementation (OSDI)","author":"Singh, S."},{"key":"atypb10","volume-title":"roceedings of the USENIX Security Symposium","author":"Kim, H.-A."},{"key":"atypb11","doi-asserted-by":"publisher","DOI":"10.1145\/972374.972384"},{"key":"atypb12","volume-title":"The Future of Internet Worms","author":"Nazario, J.","year":"2003"},{"key":"atypb13","volume-title":"Proceedings of the IEEE INFOCOM","author":"Chen, Z."},{"key":"atypb14","volume-title":"Proceedings of the IEEE INFOCOM","author":"Garetto, M."},{"key":"atypb15","volume-title":"Proceedings of the IEEE Workshop on Information Assurance and Security","author":"Toth, T."},{"key":"atypb16","volume-title":"Proceedings of the Network and Distributed System Security Symposium","author":"Kruegel, C."},{"key":"atypb17","volume-title":"roceedings of the National Information Systems Security Conference","author":"Staniford-Chen, S."},{"key":"atypb18","volume-title":"Proceedings of the USENIX Security Symposium","author":"Twycross, J."},{"key":"atypb19","volume-title":"USENIX Security Symposium","author":"N. Weaver"},{"key":"atypb20","volume-title":"Proceedings of the ACM Internet Measurement Workshop","author":"Moore, D."},{"key":"atypb21","volume-title":"Netbait: A Distributed Worm Detection Service","author":"Chun, B.N.","year":"2003"},{"issue":"3","key":"atypb22","first-page":"26","volume":"8","author":"Mukherjee, B.","year":"1994","journal-title":"Network"},{"key":"atypb23","volume-title":"roceedings of the Symposium on Recent Advances in Intrusion Detection","author":"Dagon, D."},{"key":"atypb24","volume-title":"A honeypot based worm alerting system","author":"Kloet, J.","year":"2005"},{"key":"atypb25","volume-title":"Proceedings of the IEEE Symposium on Security and Privacy","author":"Xie, Y."},{"key":"atypb26","volume-title":"roceedings of the Conference on Computer and Communications Security","author":"Zou, C.C."},{"key":"atypb27","volume-title":"Proceedings of the 13th Systems Administration Conference \u2014 LISA '99","author":"Roesch, M."},{"key":"atypb28","volume-title":"WAND WITS: Auckland-IV trace data","author":"WAND Network Research Group.","year":"2001"},{"key":"atypb29","doi-asserted-by":"publisher","DOI":"10.1145\/272991.272995"},{"key":"atypb30","volume-title":"roceedings of the Annual Computer Security Applications Conference","author":"Whyte, D."}],"container-title":["SIMULATION"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.1177\/0037549707080753","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/journals.sagepub.com\/doi\/pdf\/10.1177\/0037549707080753","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,1]],"date-time":"2026-05-01T11:20:17Z","timestamp":1777634417000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/10.1177\/0037549707080753"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2007,2]]},"references-count":30,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2007,2]]}},"alternative-id":["10.1177\/0037549707080753"],"URL":"https:\/\/doi.org\/10.1177\/0037549707080753","relation":{},"ISSN":["0037-5497","1741-3133"],"issn-type":[{"value":"0037-5497","type":"print"},{"value":"1741-3133","type":"electronic"}],"subject":[],"published":{"date-parts":[[2007,2]]}}}