Document Type


Publication Date

January 2008

Publication Title

IEEE Communications Surveys and Tutorials



Issue Number





Self-duplicating, self-propagating malicious codes known as computer worms spread themselves without any human interaction and launch the most destructive attacks against computer networks. At the same time, being fully automated makes their behavior repetitious and predictable. This article presents a survey and comparison of Internet worm detection and containment schemes. We first identify worm characteristics through their behavior, and then classify worm detection algorithms based on the parameters used in the algorithms. Furthermore, we analyze and compare different detection algorithms with reference to the worm characteristics by identifying the type of worms that can and cannot be detected by these schemes. After detecting the existence of worms, the next step is to contain them. This article explores the current methods used to slow down or stop the spread of worms. The locations to implement detection and containment, as well as the scope of each of these systems/methods, are also explored in depth. Finally, this article points out the remaining challenges of worm detection and future research directions.


This is the Author's Accepted Manuscript of an article originally published in IEEE Communications Surveys & Tutorials Vol. 10, Iss. 1 by IEEE, 2008, DOI: 10.1109/COMST.2008.4483668. The Version of Record can be found online at this link.