Correcting congestion-based error in network telescope's observations of worm dynamics

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Correcting congestion-based error in network telescope's observations of worm dynamics

Full text

Pdf (488 KB)

Source

Internet Measurement Conference archive
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement table of contents

Vouliagmeni, Greece

SESSION: Internet coordinates and anomaly detection table of contents

Pages 125-130

Year of Publication: 2008

ISBN:978-1-60558-334-1

Authors

Songjie Wei	University of Delaware, Newark, DE, USA
Jelena Mirkovic	University of Southern California, Marina Del Rey, CA, USA

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication
SIGMETRICS: ACM Special Interest Group on Measurement and Evaluation
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 16, Downloads (12 Months): 197, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1452520.1452536 What is a DOI?

ABSTRACT

Network telescopes have been invaluable for collecting information about dynamics of large-scale worm events. Yet, a telescope's observation may be incomplete due to scan congestion drops, hardware limitations, filtering and presence of NATs, a worm's non-uniform scanning strategy or its short life. We investigate inaccuracies in telescope observations that arise from worm-induced congestion drops of worm scans and show that they may lead to significant underestimates of the number of infectees and their scanning rate. We propose a method to infer worm-induced congestion drops from telescope's observations and use them to accurately estimate global worm dynamics. We apply our methods to CAIDA telescope's observations of Witty worm's spread, and release corrected statistics of worm dynamics for public use.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003 [doi>10.1109/MSECP.2003.1219056]
	2	David Moore , Colleen Shannon , k claffy, Code-Red: a case study on the spread and victims of an internet worm, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637244]
	3	Colleen Shannon , David Moore, The Spread of the Witty Worm, IEEE Security and Privacy, v.2 n.4, p.46-50, July 2004 [doi>10.1109/MSP.2004.59]
	4	David Moore , Geoffrey M. Voelker , Stefan Savage, Inferring internet denial-of-service activity, Proceedings of the 10th conference on USENIX Security Symposium, p.2-2, August 13-17, 2001, Washington, D.C.
	5	Colleen Shannon and David Moore. The CAIDA Dataset on the Witty Worm. http://www.caida.org/data/passive/witty_worm_dataset.xml/.
	6	Abhishek Kumar , Vern Paxson , Nicholas Weaver, Exploiting underlying structure for detailed reconstruction of an internet-scale event, Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, p.33-33, October 19-21, 2005, Berkeley, CA
	7	Nicholas Weaver , Ihab Hamadeh , George Kesidis , Vern Paxson, Preliminary results using scale-down to explore worm dynamics, Proceedings of the 2004 ACM workshop on Rapid malcode, October 29-29, 2004, Washington DC, USA [doi>10.1145/1029618.1029628]
	8	Ihab Hamadeh and George Kesidis. Toward a Framework for Forensic Analysis of Scanning Worms. In Proc. of ETRICS International Conference, Jun 2006.
	9	Cliff Changchun Zou , Lixin Gao , Weibo Gong , Don Towsley, Monitoring and early warning for internet worms, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA [doi>10.1145/948109.948136]
	10	David Moore, Collen Shannon, Geoffrey Voelker, and Stefan Savage. Network Telescopes: Technical Report. CAIDA technical report, 2004.
	11	Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, On the effectiveness of distributed worm monitoring, Proceedings of the 14th conference on USENIX Security Symposium, p.15-15, July 31-August 05, 2005, Baltimore, MD
	12	CAIDA. Network Telescope. http://www.caida.org/research/security/telescope,.
	13	University of Wisconsin-Madison Advanced Internet Lab. Web page. http://wail.cs.wisc.edu.
	14	Moheeb Abu Rajab , Fabian Monrose , Andreas Terzis, On the impact of dynamic addressing on malware propagation, Proceedings of the 4th ACM workshop on Recurring malcode, November 03-03, 2006, Alexandria, Virginia, USA [doi>10.1145/1179542.1179554]
	15	Steven M. Bellovin, A technique for counting natted hosts, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France [doi>10.1145/637201.637243]
	16	George Cassella and Roger L. Berger. Statistical Inference. Duxburg Press, 2nd edition, 2001.
	17	University of Oregon. Route Views Project. http://www.routeviews.org.
	18	CAIDA. Internet Measurement Data Catalog. http://www.datcat.org.