More Web Proxy on the site http://driver.im/

Article

Profiling self-propagating worms via behavioral footprinting

Authors:

Dongyan XuAuthors Info & Claims

WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

Pages 17 - 24

https://doi.org/10.1145/1179542.1179547

Published: 03 November 2006 Publication History

Abstract

This paper proposes behavioral footprinting, a new dimension of worm profiling based on worm infection sessions. A worm's infection session contains a number of steps (e.g., for probing, exploitation, and replication) that are exhibited in certain order in every successful worm infection. Behavioral footprinting complements content-based signature by enriching a worm's profile, which will be used in worm identification, an important task in post worm attack investigation and recovery. We propose an algorithm to extract a worm's behavioral footprint from the worm's traffic traces. Our evaluation with a number of real worms and their variants confirms the existence of worms' behavioral footprints and demonstrates their effectiveness in worm identification.

References

[1]

Snort. http://www.snort.org.

[2]

Lion Worms. http://www.sans.org/y2k/lion.htm, 2001.

[3]

MSBlaster Worms. http://www.cert.org/advisories/CA-2003-20.html, 2003.

[4]

Sasser Worms. http://www.microsoft.com/security/incident/sasser.asp, 2004.

[5]

D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards Automatic Generation of Vulnerability-Based Signatures. Proceedings of the 27th IEEE Symposium on Security and Privacy, May 2006.

Digital Library

[6]

M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-End Containment of Internet Worms. Proceedings of ACM SOSP 2005, Oct. 2005.

Digital Library

[7]

J. R. Crandall and F. T. Chong. Minos: Control Data Attack Prevention Orthogonal to Memory Model. Proceedings of 37th International Symposium on Microarchitecture, Oct. 2004.

Digital Library

[8]

D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levine, and H. Owen. HoneyStat: Local Worm Detection Using Honeypots. Proceedings of RAID 2004, Sept. 2004.

[9]

R. Durbin, S. Eddy, and A. Krogh. Biological Sequence Analysis. Cambridge University Press, ISBN: 0521629713, 1998.

[10]

D. R. Ellis, J. G. Aiken, K. S. Attwood, and S. D. Tenaglia. A Behavioral Approach To Worm Detection. Invited talk in ACM WORM 2004, Oct. 2004.

Digital Library

[11]

A. K. Ghosh, A. Schwartzbard, and M. Schatz. Learning Program Behavior Profiles for Intrusion Detection. Proceedings of the 1999 Workshop on Intrusion Detection and Network Monitoring, Apr. 1999.

Digital Library

[12]

X. Jiang and D. Xu. Collapsar: A VM-Based Architecture for Network Attack Detention Center. Proceedings of the 13th USENIX Security Symposium, Aug. 2004.

Digital Library

[13]

X. Jiang and D. Xu. Behavioral Footprinting: a New Dimension to Characterize Self-Propagating Worms. Department of Computer Science Technical Report CSD TR 05-027, Purdue University, Jan. 2005.

[14]

X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual Playgrounds for Worm Behavior Investigation. Proceedings of RAID 2005, Sept. 2005.

Digital Library

[15]

J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. Proceedings of the 25th IEEE Symposium on Security and Privacy, May 2004.

[16]

H. A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. Proceedings of the 13th Usenix Security Symposium, Aug. 2004.

Digital Library

[17]

C. Kreibich and J. Crowcroft. Honeycomb: Creating Intrusion Detection Signatures Using Honeypots. ACM SIGCOMM Computer Communication Review, Jan. 2004.

Digital Library

[18]

M. E. Locasto, J. J. Parekh, A. D. Keromytis, and S. J. Stolfo. Towards Collaborative Security and P2P Intrusion Detection. Proccedings of the 6th Annual IEEE Information Assurance Workshop, June 2005.

[19]

J. Newsome, B. Karp, and D. Song. Polygraph: Automatically Generating Signatures for Polymorphic Worms. Proceedings of the 26th IEEE Symposium on Security and Privacy, May 2005.

Digital Library

[20]

J. Newsome and D. Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. Proceedings of NDSS 2005, Feb. 2005.

[21]

M. Rinard, C. Cadar, D. Dumitran, D. Roy, and T. Leu. A Dynamic Technique for Eliminating Buffer Overflow Vulnerabilities (and Other Memory Errors). Proceedings of ACSAC, Dec. 2004.

Digital Library

[22]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated Worm Fingerprinting. Proceedings of the 6th ACM/USENIX Symposium on Operating Systems Design & Implementation, Dec. 2004.

Digital Library

[23]

S. Staniford and et al. The Design of GrIDS: A Graph-Based Intrusion Detection System. UCD Technical Report CSE-99-2, Jan. 1999.

[24]

G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure Program Execution via Dynamic Information Flow Tracking. Proceedings of the 11th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2004.

Digital Library

[25]

G. Vigna, W. Robertson, and D. Balzarotti. Testing Intrusion Detection Signatures Using Mutant Exploits. Proceedings of the 11th ACM Conference on Computer and Communication Security, Oct. 2004.

Digital Library

[26]

H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. Proceedings of ACM SIGCOMM 2004, Sept. 2004.

Digital Library

[27]

K. Wang and S. J. Stolfo. Anomalous Payload-based Network Intrusion Detection. Proceedings of RAID 2004, Sept. 2004.

Cited By

McCully GHastings JXu SFortier A(2024)Bi-Directional Transformers vs. word2vec: Discovering Vulnerabilities in Lifted Compiled Code2024 Cyber Awareness and Research Symposium (CARS)10.1109/CARS61786.2024.10778724(1-8)Online publication date: 28-Oct-2024
https://doi.org/10.1109/CARS61786.2024.10778724
Ren PLiu WLiu KSun D(2011)Study on Event-Sequence Based Worm Behavior Analysis in InternetProceedings of the 2011 First International Workshop on Complexity and Data Mining10.1109/IWCDM.2011.36(125-128)Online publication date: 24-Sep-2011
https://dl.acm.org/doi/10.1109/IWCDM.2011.36
Shun-Wen Hsiao Sun YChen MHui Zhang (2010)Behavior profiling for robust anomaly detection2010 IEEE International Conference on Wireless Communications, Networking and Information Security10.1109/WCINS.2010.5541822(465-471)Online publication date: Jun-2010
https://doi.org/10.1109/WCINS.2010.5541822
Show More Cited By

Index Terms

Profiling self-propagating worms via behavioral footprinting
1. Security and privacy
  1. Network security

Recommendations

vEye: behavioral footprinting for self-propagating worm detection and profiling

With unprecedented speed, virulence, and sophistication, self-propagating worms remain as one of the most severe threats to information systems and Internet in general. In order to mitigate the threat, efficient mechanisms are needed to accurately ...
Self-stopping worms
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode

Modern network worms spread with tremendous speed-potentially covering the planet in mere seconds. However, for most worms, this prodigious pace continues unabated long after the outbreak's incidence has peaked. Indeed, it is this ongoing infection ...
Modeling and Automated Containment of Worms

Self-propagating codes, called worms, such as Code Red, Nimda, and Slammer, have drawn significant attention due to their enormously adverse impact on the Internet. Thus, there is great interest in the research community in modeling the spread of worms ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode

November 2006

88 pages

ISBN:1595935517

DOI:10.1145/1179542

Program Chair:
Farnam Jahanian
University of Michigan

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 November 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS06

Sponsor:

CCS06: 13th ACM Conference on Computer and Communications Security 2006

November 3, 2006

Virginia, Alexandria, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
489
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 31 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

McCully GHastings JXu SFortier A(2024)Bi-Directional Transformers vs. word2vec: Discovering Vulnerabilities in Lifted Compiled Code2024 Cyber Awareness and Research Symposium (CARS)10.1109/CARS61786.2024.10778724(1-8)Online publication date: 28-Oct-2024
https://doi.org/10.1109/CARS61786.2024.10778724
Ren PLiu WLiu KSun D(2011)Study on Event-Sequence Based Worm Behavior Analysis in InternetProceedings of the 2011 First International Workshop on Complexity and Data Mining10.1109/IWCDM.2011.36(125-128)Online publication date: 24-Sep-2011
https://dl.acm.org/doi/10.1109/IWCDM.2011.36
Shun-Wen Hsiao Sun YChen MHui Zhang (2010)Behavior profiling for robust anomaly detection2010 IEEE International Conference on Wireless Communications, Networking and Information Security10.1109/WCINS.2010.5541822(465-471)Online publication date: Jun-2010
https://doi.org/10.1109/WCINS.2010.5541822
Liu AYuan YWijesekera DStavrou AShin SOssowski S(2009)SQLProbProceedings of the 2009 ACM symposium on Applied Computing10.1145/1529282.1529737(2054-2061)Online publication date: 8-Mar-2009
https://dl.acm.org/doi/10.1145/1529282.1529737
Zhang JGuan YJiang XDuan HWu J(2008)AMCASProceedings of the 2008 The Ninth International Conference on Web-Age Information Management10.1109/WAIM.2008.44(501-507)Online publication date: 20-Jul-2008
https://dl.acm.org/doi/10.1109/WAIM.2008.44
Gu GPorras PYegneswaran VFong MLee W(2007)BotHunterProceedings of 16th USENIX Security Symposium on USENIX Security Symposium10.5555/1362903.1362915(1-16)Online publication date: 6-Aug-2007
https://dl.acm.org/doi/10.5555/1362903.1362915

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten