More Web Proxy on the site http://driver.im/

research-article

An integrated approach to detection of fast and slow scanning worms

Authors:

Ioannis Lambadaris,

Evangelos KranakisAuthors Info & Claims

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

Pages 80 - 91

https://doi.org/10.1145/1533057.1533071

Published: 10 March 2009 Publication History

Abstract

The propagation speed of fast scanning worms and the stealthy nature of slow scanning worms present unique challenges to intrusion detection. Typically, techniques optimized for detection of fast scanning worms fail to detect slow scanning worms, and vice versa. In practice, there is interest in developing an integrated approach to detecting both classes of worms. In this paper, we propose and analyze a unique integrated detection approach capable of detecting and identifying traffic flow(s) responsible for simultaneous fast and slow scanning malicious worm attacks. The approach uses a combination of evidence from distributed host-based anomaly detectors, a self-adapting profiler and Bayesian inference from network heuristics to detect intrusion activity due to both fast and slow scanning worms. We assume that the extreme nature of fast scanning worm epidemics make them well suited for extreme value theory and use sample mean excess function to determine appropriate thresholds for detection of such worms. Random scanning worm behavior is considered in analyzing the stochastic time intervals that affect behavior of the detection technique. Based on the analysis, a probability model for worm detection interval using the detection scheme was developed. Simulations are used to validate our assumptions and analysis.

References

[1]

J. Agosta, C. Diuk-Wasser, J. Chandrashekar, and C. Livadas. An adaptive anomaly detector for worm detection. In SYSML'07: Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques, pages 1--6, Berkeley, CA, USA, 2007. USENIX Association.

Digital Library

[2]

F. Akujobi, I. Lambadaris, and E. Kranakis. Endpoint-driven intrusion detection and containment of fast spreading worms in enterprise networks. In IEEE Military Communications Conference (MILCOM) 2007, 2007.

[3]

A. Balkema and L. de Haan. Residual life time at great age. The Annals of Probability, 2(5):792--804, 1974.

[4]

M. Burgess. Probabilistic anomaly detection in distributed computer networks. Science of Computer Programming, 60(1):1--26, March 2006.

Digital Library

[5]

C. A. CA-2001-26. Nimda worm. http://www.cert.org/advisories/CA-2001-26.html, 2001.

[6]

M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of Internet worms. In Proceedings of the Symposium on Systems and Operating Systems Principles (SOSP, pages 133--147, 2005.

Digital Library

[7]

C. Gates and C. Taylor. Challenging the anomaly detection paradigm: A provocative discussion. In NSPW '06: Proceedings of the 2006 workshop on New security paradigms, pages 21--29, New York, NY, USA, 2006. ACM.

Digital Library

[8]

J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In In Proceedings of the IEEE Symposium on Security and Privacy, May 9--12, 2004., 2004.

[9]

E. K Ãńllezi and M. Gilli. Extreme value theory for tail-related risk measures. FAME Research Paper Series rp18, International Center for Financial Asset Management and Engineering, Oct. 2000.

[10]

D. Moore, C. Shannon, and K. Claffy. Code Red: A case study on the spread and victims of an Internet worm. In ACM SIGCOMM Internet Measurement Workshop, pages 273--284, 2002.

Digital Library

[11]

D. Mutz, F. Valeur, C. Kruegel, and G. Vigna. Anomalous system call detection. ACM Transactions on Information and System Security, 9:61--93, 2006.

Digital Library

[12]

D. Nicol. The impact of stochastic variance on worm propagation and detection. In WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode, pages 57--64, New York, NY, USA, 2006. ACM.

Digital Library

[13]

J. Pickands. Statistical inference using extreme order statistics. The Annals of Statistics, 3(1):119--131, 1975.

[14]

S. Schechter, J. Jung, and A. Berger. Fast Detection of Scanning Worm Infections. In 7th International Symposium on Recent Advances in Intrusion Detection (RAID), French Riviera, France, September 2004.

[15]

D. Schirmacher, E. Schirmacher, and N. Thandi. Stochastic excess-of-loss pricing within a financial framework. http://www.casact.org/pubs/forum/05spforum/05spf297.pdf, 2005.

[16]

V. Sekar, Y. Xie, M. Reiter, and H. Zhang. A multi-resolution approach for worm detection and containment. In DSN '06: Proceedings of the International Conference on Dependable Systems and Networks, pages 189--198, Washington, DC, USA, 2006. IEEE Computer Society.

Digital Library

[17]

C. Shannon and D. Moore. The spread of the witty worm. In IEEE Security Privacy, vol. 2, no. 4, 2004.

Digital Library

[18]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In In OSDI, pages 45--60, 2004.

Digital Library

[19]

C. Sullivan. Cisco Security Agent. Cisco Press, 2005.

Digital Library

[20]

Swsoft. Openvz homepage. http://openvz.org/, 2008.

[21]

C. Systems Inc. Cisco Catalyst 6500 Supervisor Engine 32 PISA. http://www.cisco.com/en/US/products/ps7209/index.html, 2008.

[22]

N. Weaver, S. Staniford, and V. Paxson. Very fast containment of scanning worms. In SSYM'04: Proceedings of the 13th conference on USENIX Security Symposium, pages 3--3, Berkeley, CA, USA, 2004. USENIX Association.

Digital Library

[23]

C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and early warning for Internet worms. In CCS '03: Proceedings of the 10th ACM conference on Computer and communications security, pages 190--199, New York, NY, USA, 2003. ACM.

Digital Library

Cited By

Chen LHsiao SChen MLiao W(2016)Slow-Paced Persistent Network Attacks Analysis and Detection Using Spectrum AnalysisIEEE Systems Journal10.1109/JSYST.2014.234856710:4(1326-1337)Online publication date: Dec-2016
https://doi.org/10.1109/JSYST.2014.2348567
Chen LChen MSun YLiao W(2013)Spectrum analysis for detecting slow-paced persistent activities in network security2013 IEEE International Conference on Communications (ICC)10.1109/ICC.2013.6654815(1985-1989)Online publication date: Jun-2013
https://doi.org/10.1109/ICC.2013.6654815
Chen LChen MLiao WSun Y(2013)A scalable network forensics mechanism for stealthy self-propagating attacksComputer Communications10.1016/j.comcom.2013.05.00536:13(1471-1484)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1016/j.comcom.2013.05.005
Show More Cited By

Index Terms

An integrated approach to detection of fast and slow scanning worms
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Self-stopping worms
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

Modern network worms spread with tremendous speed-potentially covering the planet in mere seconds. However, for most worms, this prodigious pace continues unabated long after the outbreak's incidence has peaked. Indeed, it is this ongoing infection ...
Modeling and Automated Containment of Worms

Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms ...
Profiling self-propagating worms via behavioral footprinting
WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

This paper proposes behavioral footprinting, a new dimension of worm profiling based on worm infection sessions. A worm's infection session contains a number of steps (e.g., for probing, exploitation, and replication) that are exhibited in certain order ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '09: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security

March 2009

408 pages

ISBN:9781605583945

DOI:10.1145/1533057

General Chairs:
Wanqing Li
University of Wollongong, Australia
,
Willy Susilo
University of Wollongong, Australia
,
Udaya Tupakula
Macquarie University, Australia
,
Program Chairs:
Rei Safavi-Naini
University of Calgary, Canada
,
Vijay Varadharajan
Macquarie University, Australia

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 March 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

Asia CCS 09

Sponsor:

SIGSAC

Asia CCS 09: Asia CCS 2009 ACM Symposium on Information, Computer and Communications Security

March 10 - 12, 2009

Sydney, Australia

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
309
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 21 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Chen LHsiao SChen MLiao W(2016)Slow-Paced Persistent Network Attacks Analysis and Detection Using Spectrum AnalysisIEEE Systems Journal10.1109/JSYST.2014.234856710:4(1326-1337)Online publication date: Dec-2016
https://doi.org/10.1109/JSYST.2014.2348567
Chen LChen MSun YLiao W(2013)Spectrum analysis for detecting slow-paced persistent activities in network security2013 IEEE International Conference on Communications (ICC)10.1109/ICC.2013.6654815(1985-1989)Online publication date: Jun-2013
https://doi.org/10.1109/ICC.2013.6654815
Chen LChen MLiao WSun Y(2013)A scalable network forensics mechanism for stealthy self-propagating attacksComputer Communications10.1016/j.comcom.2013.05.00536:13(1471-1484)Online publication date: 1-Jul-2013
https://dl.acm.org/doi/10.1016/j.comcom.2013.05.005
Akujobi FLambadaris IKranakis E(2009)Detection of slow malicious worms using multi-sensor data fusion2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications10.1109/CISDA.2009.5356557(1-9)Online publication date: Jul-2009
https://doi.org/10.1109/CISDA.2009.5356557

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents