[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/1103626.1103642acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

The detection of RCS worm epidemics

Published: 11 November 2005 Publication History

Abstract

This paper discusses the problem of automatically detecting the existence of Random Constant Scanning (RCS) worm epidemics on the Internet by observing packet traffic in a local network. The propagation of the RCS worm is modelled as a simple epidemic. An optimal hypothesis-testing approach is presented to detect simple epidemics under idealized conditions based on the cumulative sums of log-likelihood ratios. It is shown that there are limitations on the ability of this optimal method to detect several important subclasses of RCS worm epidemics even under idealized conditions.

References

[1]
H. Andersson and T. Britton. Stochastic Epidemic Models and Their Statistical Analysis. Number 151 in Lecture Notes in Statistics. Springer-Verlag, 2000.
[2]
M. Basseville and I. Nikiforov. Detection of Abrupt Changes: Theory and Applications Prentice-Hall, New York, 1993.
[3]
F. Brauer and C. Castillo-Chávez. Mathematical Models in Population Biology and Epidemiology. Number 40 in Texts in Applied Mathematics. Springer-Verlag, New York, 2001.
[4]
D. Daley and J. Gani. Epidemic Modelling: An Introduction. Cambridge University Press, 1999.
[5]
H. Hethcote. The mathematics of infectious diseases. SIAM Review, 42(4):599--653, 2000.
[6]
J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In Proc. of the IEEE Symposium on Security and Privacy, 2004.
[7]
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security and Privacy, 1(4):33--39, 2003.
[8]
D. Moore, C. Shannon, and J. Brown. Code-red: A case study on the spread and victims of an Internet worm. In Proc. of the Internet Measurement Workshop (IMW), 2002.
[9]
R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet background radiation. In Proc. of the 4th ACM SIGCOMM Conference on Internet Measurement, 2004.
[10]
H. Poor. An Introduction to Signal Detection and Estimation. Springer Texts in Electrical Engineering. Springer-Verlag, New York, 1994.
[11]
K. Rohloff and T. Başsar. Stochastic behavior of random constant scanning worms. In Proc. of 14th ICCCN, 2005.
[12]
S. E. Schechter, J. Jung, and A. W. Berger. Fast detection of scanning worm infections. In Proc. of The Seventh International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.
[13]
S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in your spare time. In Proc. of the 11th USENIX Security Symposium (Security '02), 2002.
[14]
A. Wald. Sequential Analysis. Dover, New York, 1947.
[15]
N. Weaver, S. Staniford, and V. Paxson. Very fast containment of scanning worms. In Proc. of the 13th USENIX Security Symposium (Security '04), 2004.
[16]
C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and early warning for Internet worms. In Proc. of the 10th ACM conference on Computer and communications security, pages 190--199. ACM Press, 2003.

Cited By

View all
  • (2014)Epidemiological Diffusion and Discrete Branching Models for Malware Propagation in Computer NetworksMathematics Without Boundaries10.1007/978-1-4939-1124-0_6(139-179)Online publication date: 6-Aug-2014
  • (2009)Optimal and robust epidemic response for multiple networksControl Engineering Practice10.1016/j.conengprac.2008.10.00717:5(525-533)Online publication date: May-2009
  • (2008)Deterministic and stochastic models for the detection of random constant scanning wormsACM Transactions on Modeling and Computer Simulation10.1145/1346325.134632918:2(1-24)Online publication date: 28-Apr-2008
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode
November 2005
94 pages
ISBN:1595932291
DOI:10.1145/1103626
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2005

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Article

Conference

CCS05
Sponsor:

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 02 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2014)Epidemiological Diffusion and Discrete Branching Models for Malware Propagation in Computer NetworksMathematics Without Boundaries10.1007/978-1-4939-1124-0_6(139-179)Online publication date: 6-Aug-2014
  • (2009)Optimal and robust epidemic response for multiple networksControl Engineering Practice10.1016/j.conengprac.2008.10.00717:5(525-533)Online publication date: May-2009
  • (2008)Deterministic and stochastic models for the detection of random constant scanning wormsACM Transactions on Modeling and Computer Simulation10.1145/1346325.134632918:2(1-24)Online publication date: 28-Apr-2008
  • (2008)di-jestProceedings of the 2008 International Symposium on a World of Wireless, Mobile and Multimedia Networks10.1109/WOWMOM.2008.4594898(1-6)Online publication date: 23-Jun-2008
  • (2008)Modeling and Automated Containment of WormsIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2007.702305:2(71-86)Online publication date: 1-Apr-2008
  • (2007)Optimal and robust epidemic response for multiple networks2007 46th IEEE Conference on Decision and Control10.1109/CDC.2007.4434524(5074-5079)Online publication date: Dec-2007
  • (2006)The impact of stochastic variance on worm propagation and detectionProceedings of the 4th ACM workshop on Recurring malcode10.1145/1179542.1179555(57-64)Online publication date: 3-Nov-2006
  • (2006)Resource allocation for restoration of compromised systemsJournal of Combinatorial Optimization10.1007/s10878-006-8903-112:1-2(35-56)Online publication date: 27-Jun-2006
  • (2005)Stochastic behavior of random constant scanning wormsProceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005.10.1109/ICCCN.2005.1523881(339-344)Online publication date: 2005

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media