the current ideas

analyze the traffic
differentiate between an attack and a worm
profile a worm

take simple approaches
data sources
packet capture (tcpdump)
netflow
logfiles

signature based methods?
don't scale
cannot tell you about new threats