ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A behavioral approach to worm detection
Full text PdfPdf (240 KB)
Source Workshop on Rapid Malcode archive
Proceedings of the 2004 ACM workshop on Rapid malcode table of contents
Washington DC, USA
SESSION: Session 2 table of contents
Pages: 43 - 53  
Year of Publication: 2004
ISBN:1-58113-970-5
Authors
Daniel R. Ellis  The MITRE Corporation
John G. Aiken  The MITRE Corporation
Kira S. Attwood  The MITRE Corporation
Scott D. Tenaglia  The MITRE Corporation
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 7,   Downloads (12 Months): 96,   Citation Count: 15
Additional Information:

abstract   references   cited by   index terms   review   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1029618.1029625
What is a DOI?

ABSTRACT

This paper presents a new approach to the automatic detection of worms using behavioral signatures. A behavioral signature describes aspects of any particular worm's behavior that are common across the manifestations of a given worm and that span its nodes in temporal order. Characteristic patterns of worm behaviors in network traffic include 1) sending similar data from one machine to the next, 2) tree-like propagation and reconnaissance, and 3) changing a server into a client. These behavioral signatures are presented within the context of a general worm propagation model. Taken together, they have the potential to detect entire classes of worms including those which have yet to be observed.

This paper introduces the concept of an network application architecture (NAA) as a way to distribute network applications. An analysis shows that the choice of NAA impacts the sensitivity of behavioral signatures. An NAA that satisfies certain constraints significantly improves worm detection sensitivity. Mathematical models of traffic flow, NAAs, worm propagation, and worm detection provide a context for the entire discussion.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Joan M. Aldous and Robin J. Wilson, Graphs and Applications: An Introductory Approach, Springer-Verlag, 2000.
 
2
Eric Bryant , James Early , Rajeev Gopalakrishna , Gregory Roth , Eugene H. Spafford , Keith Watson , Paul Williams , Scott Yost, Poly2 Paradigm: A Secure Network Service Architecture, Proceedings of the 19th Annual Computer Security Applications Conference, p.342, December 08-12, 2003
3
Dan Ellis, Worm anatomy and model, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA  [doi>10.1145/948187.948196]
 
4
J. D. Guttman, Filtering postures: local enforcement for global policies, Proceedings of the 1997 IEEE Symposium on Security and Privacy, p.120, May 04-07, 1997
 
5
Hyang-Ah Kim, Brad Karp, Autograph: Toward Automated, DistributedWorm Signature Detection, USENIX Security Symposium, to appear, 2004.
 
6
Internet Engineering Task Force RFC 1700. http://www.ietf.org/rfc/rfc1700.txt.
 
7
Jose Nazario, Defense and Detection Strategies against Internet Worms, Artech House, Inc., Norwood, MA, 2003
 
8
Sumeet Singh, Cristian Estan, George Varghese, Stefan Savage, The EarlyBird System for Real-time Detection of Unknown Worms, to be presented at the Sixth Symposium on Operating System Design and Implementation (OSDI), 2004. http://www.snort.org/.
 
9
Stuart Staniford et al., The Design of GrIDS: A Graph-Based Intrusion Detection System. UCD Technical Report CSE-99-2, January, 1999.
 
10
Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
 
11
Stuart Staniford. Containment of Scanning Worms in Enterprise Networks. Journal of Computer Security, to appear, 2004.
 
12
Richard W. Stevens, TCP/IP Illustrated, vol. 1, Addison Wesley Longman, Inc., 1994.
 
13
Nicholas Weaver, Vern Paxson, Stuart Staniford, Robert Cunningham.
14
Nicholas Weaver , Vern Paxson , Stuart Staniford , Robert Cunningham, A taxonomy of computer worms, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA  [doi>10.1145/948187.948190]
 
15
Nicholas Weaver, Dan Ellis, Vern Paxson, Stuart Staniford, Worms vs. Perimeters: The Case for HardLANs, To appear, Hot Interconnects 2004, Stanford University, August, 2004.
 
16
Nicholas Weaver, Stuart Staniford, Vern Paxson, Very Fast Containment of Scanning Worms, USENIX Security Symposium, 2004.
 
17
Matthew M. Williamson, Throttling Viruses: Restricting propagation to defeat malicious mobile code, Proceedings of the 18th Annual Computer Security Applications Conference, p.61, December 09-13, 2002

CITED BY  15
David J. Malan , Michael D. Smith, Host-based detection of worms through peer-to-peer cooperation, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
Guofei Gu , Phillip Porras , Vinod Yegneswaran , Martin Fong , Wenke Lee, BotHunter: detecting malware infection through IDS-driven dialog correlation, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-16, August 06-10, 2007, Boston, MA
David J. Malan , Michael D. Smith, Exploiting temporal consistency to reduce false positives in host-based, collaborative detection of worms, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
Xuxian Jiang , Dongyan Xu, Profiling self-propagating worms via behavioral footprinting, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
Prem Gopalan , Kyle Jamieson , Panayiotis Mavrommatis , Massimiliano Poletto, Signature metrics for accurate and automated worm detection, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA
Abhijit Bose , Kang G. Shin, Proactive security for mobile messaging networks, Proceedings of the 5th ACM workshop on Wireless security, September 29-29, 2006, Los Angeles, California
Guanling Chen , Robert S. Gray, Simulating non-scanning worms on peer-to-peer networks, Proceedings of the 1st international conference on Scalable information systems, p.29-es, May 30-June 01, 2006, Hong Kong
A. Herath , S. Herath , R. Goonatilake , J. Herath , Richard Stockton, Mathematical modeling of cyber attacks: a learning module to enhance undergraduate security curricula, Journal of Computing Sciences in Colleges, v.22 n.4, p.152-161, April 2007
Marianne Shaw, Leveraging good intentions to reduce unwanted network traffic, Proceedings of the 2nd conference on Steps to Reducing Unwanted Traffic on the Internet, p.9-9, July 07, 2006, San Jose, CA
Kristopher Hall , Randy Marchany , Nathaniel Davis, Identifying, characterizing, and controlling stealth worms in wireless networks through biological epidemiology, Proceedings of the second international workshop on Wireless traffic measurements and modeling, p.1-es, August 05-05, 2006, Boston, Massachusetts
Hahnsang Kim , Joshua Smith , Kang G. Shin, Detecting energy-greedy anomalies and mobile malware variants, Proceeding of the 6th international conference on Mobile systems, applications, and services, June 17-20, 2008, Breckenridge, CO, USA
Abhijit Bose , Xin Hu , Kang G. Shin , Taejoon Park, Behavioral detection of malware on mobile handsets, Proceeding of the 6th international conference on Mobile systems, applications, and services, June 17-20, 2008, Breckenridge, CO, USA
Yong Tang , Shigang Chen, An Automated Signature-Based Approach against Polymorphic Internet Worms, IEEE Transactions on Parallel and Distributed Systems, v.18 n.7, p.879-892, July 2007
Bon K. Sy, Integrating intrusion alert information to aid forensic explanation: An analytical intrusion detection framework for distributive IDS, Information Fusion, v.10 n.4, p.325-341, October, 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.1 Network Architecture and Design
          Subjects: Network communications


Keywords:
behavioral signatures, descendant relation, intrusion detection, network application architecture, network worms


REVIEW

"Wei Yen : Reviewer"

The detecting function is an integral part of a defense mechanism against viruses, worms, and denial of service attacks. A new paradigm for worm detection is described in this paper. Instead of looking for known patterns in packet contents, this p  more...

Collaborative Colleagues:
Daniel R. Ellis: colleagues
John G. Aiken: colleagues
Kira S. Attwood: colleagues
Scott D. Tenaglia: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player