|
 ABSTRACT
After the Code Red incident in 2001 and the SQL Slammer in January 2003, it is clear that a simple self-propagating worm can quickly spread across the Internet, infects most vulnerable computers before people can take effective countermeasures. The fast spreading nature of worms calls for a worm monitoring and early warning system. In this paper, we propose effective algorithms for early detection of the presence of a worm and the corresponding monitoring system. Based on epidemic model and observation data from the monitoring system, by using the idea of "detecting the trend, not the rate" of monitored illegitimated scan traffic, we propose to use a Kalman filter to detect a worm's propagation at its early stage in real-time. In addition, we can effectively predict the overall vulnerable population size, and correct the bias in the observed number of infected hosts. Our simulation experiments for Code Red and SQL Slammer show that with observation data from a small fraction of IP addresses, we can detect the presence of a worm when it infects only 1% to 2% of the vulnerable computers on the Internet.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
B.D.O. Anderson and J. Moore. Optimal Filtering. Prentice Hall, 1979.
|
| |
2
|
V.H. Berk, R.S. Gray, and G. Bakos. Using sensor networks and data fusion for early detection of active worms. In Proc. of the SPIE AeroSense, 2003.
|
| |
3
|
Cooperative Association for Internet Data Analysis. http://www.caida.org
|
| |
4
|
CERT Coordination Center. http://www.cert.org
|
| |
5
|
Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms, In IEEE INFOCOM, 2003.
|
| |
6
|
CNN News. Computer worm grounds flights, blocks ATMs. http://europe.cnn.com/2003/TECH/internet/01/25/internet.attack/
|
| |
7
|
eEye Digital Security. .ida "Code Red" Worm. 2001. http://www.eeye.com/html/Research/Advisories/AL20010717.html
|
| |
8
|
USA Today News. The cost of Code Red: $1.2 billion. http://www.usatoday.com/tech/news/2001-08-01-code-red-costs.htm
|
| |
9
|
CounterMalice: military-grade worm containment. http://www.silicondefense.com/products/countermalice/
|
| |
10
|
D.J. Daley and J. Gani. Epidemic Modelling: An Introduction. Cambridge University Press, 1999.
|
| |
11
|
Dave Goldsmith. Possible CodeRed Connection Attempts. Incidients maillist. http://lists.jammed.com/incidents/2001/07/0149.html
|
| |
12
|
Honeynet Project. Know Your Enemy: Honeynets. http://project.honeynet.org/papers/honeynet/
|
| |
13
|
J. O. Kephart and S. R. White. Directed-graph Epidemiological Models of Computer Viruses. In Proc. of IEEE Symposimum on Security and Privacy, pages 343--359, 1991.
|
| |
14
|
|
| |
15
|
|
| |
16
|
Internet Storm Center. http://isc.incidents.org/
|
 |
17
|
|
| |
18
|
D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. In IEEE INFOCOM, 2003.
|
| |
19
|
David Moore , Vern Paxson , Stefan Savage , Colleen Shannon , Stuart Staniford , Nicholas Weaver, Inside the Slammer Worm, IEEE Security and Privacy, v.1 n.4, p.33-39, July 2003
[doi> 10.1109/MSECP.2003.1219056]
|
| |
20
|
D. Moore. Network Telescopes: Observing Small or Distant Security Events. In USENIX Security, 2002.
|
| |
21
|
D. Seeley. A tour of the worm. In Proc. of the Winter Usenix Conference, San Diego, CA, 1989.
|
| |
22
|
CAIDA. Dynamic Graphs of the Nimda worm. http://www.caida.org/dynamic/analysis/security/nimda/
|
| |
23
|
SANS Institute. http://www.sans.org
|
| |
24
|
|
| |
25
|
Symantec Early Warning Solutions. Symantec Corp. http://enterprisesecurity.symantec.com/SecurityServices/content.cfm?ArticleID=1522
|
| |
26
|
|
| |
27
|
|
CITED BY 50
|
|
|
|
|
|
|
|
Yun-Kai ZHANG , Yun-Kai Zhang , Fang-Wei WANG , Fang-Wei Wang , Yu-Qing Zhang , Yu-Qing ZHANG , Jian-Feng MA , Jian-Feng Ma, Worm propagation modeling and analysis based on quarantine, Proceedings of the 3rd international conference on Information security, November 14-16, 2004, Shanghai, China
|
|
|
|
|
|
|
|
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: end-to-end containment of internet worms, ACM SIGOPS Operating Systems Review, v.39 n.5, December 2005
|
|
|
S. Antonatos , P. Akritidis , E. P. Markatos , K. G. Anagnostakis, Defending against hitlist worms using network address space randomization, Proceedings of the 2005 ACM workshop on Rapid malcode, November 11-11, 2005, Fairfax, VA, USA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Michael Liljenstam , Jason Liu , David M. Nicol , Yougu Yuan , Guanhua Yan , Chris Grier, RINSE: The Real-Time Immersive Network Simulation Environment for Network Security Exercises (Extended Version), Simulation, v.82 n.1, p.43-59, January 2006
|
|
|
|
|
|
|
|
|
Hui He , Ming-Zeng Hu , Wei-Zhe Zhang , Hong-Li Zhang, A worm early detection system based on multi-similarity, Proceedings of the 9th WSEAS International Conference on Communications, p.1-7, July 14-16, 2005, Athens, Greece
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
K. G. Anagnostakis , S. Sidiroglou , P. Akritidis , K. Xinidis , E. Markatos , A. D. Keromytis, Detecting targeted attacks using shadow honeypots, Proceedings of the 14th conference on USENIX Security Symposium, p.9-9, July 31-August 05, 2005, Baltimore, MD
|
|
|
Flavio Junqueira , Ranjita Bhagwan , Alejandro Hevia , Keith Marzullo , Geoffrey M. Voelker, Surviving internet catastrophes, Proceedings of the USENIX Annual Technical Conference 2005 on USENIX Annual Technical Conference, p.4-4, April 10-15, 2005, Anaheim, CA
|
|
|
|
|
|
|
|
|
Senthilkumar G. Cheetancheri , John Mark Agosta , Denver H. Dash , Karl N. Levitt , Jeff Rowe , Eve M. Schooler, A distributed host-based worm detection system, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.107-113, September 11-15, 2006, Pisa, Italy
|
|
|
|
|
|
Lorenzo Cavallaro , Andrea Lanzi , Luca Mayer , Mattia Monga, LISABETH: automated content-based signature generator for zero-day polymorphic worms, Proceedings of the fourth international workshop on Software engineering for secure systems, p.41-48, May 17-18, 2008, Leipzig, Germany
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Demetris Antoniades , Panagiotis Trimintzios , Michalis Polychronakis , Sven Ubik , Antonis Papadogiannakis , Vladimir Smotlacha, LOBSTER: a European platform for passive network traffic monitoring, Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities, March 18-20, 2008, Innsbruck, Austria
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Wei Yu , Sriram Chellappan , Xun Wang , Dong Xuan, Peer-to-peer system-based active worm attacks: Modeling, analysis and defense, Computer Communications, v.31 n.17, p.4005-4017, November, 2008
|
|
|
|
|
|
|
|
|
Manuel Costa , Jon Crowcroft , Miguel Castro , Antony Rowstron , Lidong Zhou , Lintao Zhang , Paul Barham, Vigilante: End-to-end containment of Internet worm epidemics, ACM Transactions on Computer Systems (TOCS), v.26 n.4, p.1-68, December 2008
|
|
|
|
|
|
Zhichun Li , Anup Goyal , Yan Chen , Vern Paxson, Automating analysis of large-scale botnet probing events, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
|
|
|
Frank Akujobi , Ioannis Lambadaris , Evangelos Kranakis, An integrated approach to detection of fast and slow scanning worms, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
|
|
|
|
|
|
|
|
|
Xiaohu Li , T. Paul Parker , Shouhuai Xu, Towards an analytic model of epidemic spreading in heterogeneous systems, The Fourth International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness & Workshops, August 14-17, 2007, Vancouver, Canada
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
K.6