ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A hardware platform for efficient worm outbreak detection
Full text PdfPdf (368 KB)
Source
ACM Transactions on Design Automation of Electronic Systems (TODAES) archive
Volume 14 ,  Issue 4  (August 2009) table of contents
Article No. 49  
Year of Publication: 2009
ISSN:1084-4309
Authors
Miad Faezipour  The University of Texas at Dallas, Richardson, Texas
Mehrdad Nourani  The University of Texas at Dallas, Richardson, Texas
Rina Panigrahy  Microsoft Research Lab, Mountain View, CA
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 24,   Downloads (12 Months): 61,   Citation Count: 0
Additional Information:

abstract   references   index terms  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1562514.1562517
What is a DOI?

ABSTRACT

Network Intrusion Detection Systems (NIDS) monitor network traffic to detect attacks or unauthorized activities. Traditional NIDSes search for patterns that match typical network compromise or remote hacking attempts. However, newer networking applications require finding the frequently repeated strings in a packet stream for further investigation of potential attack attempts. Finding frequently repeated strings within a given time frame of the packet stream has been quite efficient to detect polymorphic worm outbreaks. A novel real-time worm outbreak detection system using two-phase hashing and monitoring repeated common substrings is proposed in this article. We use the concept of shared counters to minimize the memory cost while efficiently sifting through suspicious strings. The worm outbreak system has been prototyped on Altera Stratix FPGA. We have tested the system for various settings and packet stream sizes. Experimental results verify that our system can support line speed of gigabit-rates with negligible false positive and negative rates.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Akritidis, P., Anagnostakis, K., and Markatos, E. P. 2005. Efficient content-based detection of zero-day worms. In Proceedings of the IEEE International Conference on Communications (ICC'05), vol. 2. IEEE, 837--843.
 
2
Antonatos, S., Anagnostakis, K. G., and Markatos, E. P. 2004. Generating realistic workloads for network intrusion detection systems. In Proceedings of the ACM Workshop on Software and Performance (WOSP'04). ACM, 207--215.
 
3
Barford, P. 2008. Network traffic. http://pages.cs.wisc.edu/~pb/640/traffic.ppt.
 
4
Bloom, B. 1970. Space/time trade-offs in hash coding with allowable errors. Comm. ACM 13, 7, 422--426.
 
5
Charikar, M., Chen, K., and Farach-Colton, M. 2004. Finding frequent items in data streams. Theort. Comput. Sci. Special Issue on Automata, Languages and Programming 312, 1, 3--15.
 
6
Crandall, J. R., Su, Z., Wu, S. F., and Chong, F. T. 2005. On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS'05). ACM, 235--248.
 
7
Estan, C., Keys, K., Moore, D., and Varghese, G. 2004. Building a better netflow. In Proceedings of the ACM SIGCOMM'04 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, vol. 34. ACM, 245--256.
 
8
Estan, C. and Varghese, G. 2002. New directions in traffic measurement and accounting. In Proceedings of the ACM SIGCOMM'02 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. ACM, 323--336.
 
9
Ethereal. 2007. Ethereal: A networking protocol analyzer. www.ethereal.com.
 
10
Faezipour, M., Nourani, M., and Panigrahy, R. 2007. A real-time worm outbreak detection system using shared counters. In Proceedings of the 15th Annual IEEE Symposium of High-Performance Interconnects (HOTI'07). IEEE, 65--72.
 
11
Gibbons, P. B. and Matias, Y. 1998. New sampling-based summary statistics for improving approximate query answers. In Proceedings of the ACM SIGMOD'98 Conference, vol. 27. ACM, 331--342.
 
12
Idika, N. and Mathur, A. P. 2007. A survey of malware detection techniques. Tech. rep, Purdue University.
 
13
Jacob, N. and Brodley, C. 2006. Offloading ids computation to the gpu. In Proceedings of the 22nd Annual Computer Security Applications Conference (ACSAC'06), 371--380.
 
14
Karamcheti, V., Geiger, D., Kedem, Z., and Muthukrishnan, S. 2005. Detecting malicious network traffic using inverse distributions of packet contents. In Proceedings of ACM SIGCOMM'05 MineNet Workshop. ACM, 165--170.
 
15
Kim, H. A. and Karp, B. 2004. Autograph: Toward automated, distributed worm signature detection. In Proceedings of 13th USENIX Security Symposium, 271--286.
 
16
Kolesnikov, O. and Lee, W. 2005. Advanced polymorphic worms: Evading ids by blending in with normal traffic. Tech. rep. Georgia Institute of Technology.
 
17
Kompella, R. R., Singh, S., and Varghese, G. 2004. On scalable attack detection in the network. In Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement (IMC'04). ACM, 187--200.
 
18
Madhusudan, B. and Lockwood, J. 2004. Design of a system for real-time worm detection. In Proceedings of the 12th Annual IEEE Symposium on High-Performance Interconnects (HOTI'04). IEEE, 77--83.
 
19
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., and Weaver, N. 2003. The spread of the sapphire/slammer worm. http://www.caida.org/publications/papers/2003/sapphire/sapphire.html.
 
20
Newsome, J., Karp, B., and Song, D. 2005. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of the IEEE Symposium on Security and Privacy (SP'05). IEEE, 226--241.
 
21
NIOS. 2006. User Manuals for Nios II Ide Version 6.0 Toolset. ALTERA Corp.
 
22
Quartus. 2006. User manuals for quartus II Version 6.0 Toolset. ALTERA Corp.
 
23
SANS. 2009. Malware faq: Code-red-iss buffer overflow. http://www.sans.org/resources/malwarefaq/code-red.php.
 
24
Schleimer, S., Wilkerson, D. S., and Aiken, A. 2003. Winnowing: Local algorithms for document fingerprinting. In Proceedings of the ACM SIGMOD'03 Conference. ACM, 76--85.
 
25
Server, O. 2006. Polynomials. http://theory.cs.uvic.ca/gen/poly.html. University of Victoria.
 
26
Singh, S., Estan, C., Varghese, G., and Savage, S. 2004. Automated worm fingerprinting. In Proceedings of the ACM Symposium on Operating System Design and Implementation (OSDI'04). ACM, 45--60.
 
27
SNORT. 2007. Snort network intrusion detection system. www.snort.org.
 
28
Song, D., Malan, R., and Stone, R. 2001. A snapshot of global internet worm activity. Tech. rep. Arbor Networks.
 
29
Song, H. and Lockwood, J. W. 2005. Multi-pattern signature matching for hardware network intrusion detection systems. In Proceedings of the IEEE Global Telecommunications Conference (GLOBECOM'05). IEEE, 1686--1690.
 
30
Staniford, S., Moore, D., Paxson, V., and Weaver, N. 2004. The top speed of flash worms. In Proceedings of the ACM Workshop on Rapid Malcode (WORM'04). ACM, 33--42.
 
31
Synopsys. 2005. User Manuals for Synopsys Toolset Version 2005.06. Synopsys Inc.
 
32
Telkamp, T. 2002. Traffic characteristics and network planning. NANOG26 Meeting, http://www.nanog.org/mtg-0210/ppt/telkamp.pdf.
 
33
Wang, K., Cretu, G., and Stolfo, S. J. 2004. Anomalous payload-based network intrusion detection. In Proceedings of the 7th International Symposium on Recent Advances in Intrusion Detection (RAID04).
 
34
Williamson, M. M. 2002. Throttling viruses: Restricting propagation to defeat malicious mobile code. In Proceedings of the 18th Annual IEEE Computer Security Applications Conference (ACSAC'02). IEEE, 61--68.
 
35
Yu, F., Katz, R. H., and Lakshman, T. V. 2004. Gigabit rate packet pattern-matching using tcam. In Proceedings of the 12th IEEE International Conference on Network Protocols Symposium on High-Performance Interconnects (ICNP'04). IEEE, 174--183.
 
36
Zou, C. C., Gong, W., and Towsley, D. 2002. Code-red worm propagation modeling and analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (SIGSAC'02). ACM, 138--147.
 
37
Zou, C. C., N. Duffield, D. T., and Gong, W. 2006. Adaptive defense against various network attacks. IEEE J. Select. Areas Comm. 24, 10 (Oct.), 1877--1888.

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)


General Terms:
Design, Security


Keywords:
Network Intrusion Detection System, false negative, false positive, hashing, polymorphic worm, shared counters, worm outbreak


The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player