Abstract
Knowledge of the worm origin is necessary to forensic analysis, and knowledge of the initial causal flows supports diagnosis of how network defenses were breached. Fast and accurate online tracing network worm during its propagation, help to detect worm origin and the earliest infected nodes, and is essential for large-scale worm containment. This paper introduces the Accumulation Algorithm which can efficiently tracing worm origin and the initial propagation paths, and presents an improved online Accumulation Algorithm using sliding detection windows. We also analyzes and verifies their detection accuracy and containment efficacy through simulation experiments in large scale network. Results indicate that the online Accumulation Algorithm can accurately tracing worms and efficiently containing their propagation in an approximately real-time manner.
Supported by NSFC (60703023).
Chapter PDF
Similar content being viewed by others
References
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security and Privacy (August 2003)
Moore, D., Shannon, C., Claffy, K.: Code-Red: A Case Study on the Spread and Victims of an Internet Worm. In: Proceedings of Second ACM SIGCOMM Workshop Internet Measurement, pp. 273–284 (2002)
Rajab, M.A., Monrose, F., Terzis, A.: Worm evolution tracking via timing analysis. In: Proceedings of the 2005 ACM Workshop on Rapid Malcode, WORM 2005, November 11, 2005, pp. 52–59. ACM Press, New York (2005)
Peng, P., Ning, P., Reeves, D.S., Wang, X.: Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets. In: ICDCS Workshops 2005, pp. 107–113 (2005)
Xie, Y., Sckar, V., Maltz, D.A., Reiter, M.K., Zhan, H.: Worm Origin Identification Using Random Moonwalks. In: Proceedings of IEEE Symposium on Security and Privacy, May 2005, pp. 242–256 (2005)
Kumar, A., Paxson, V., Weaver, N.: Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event. In: Proceedings of ACM IMC (October 2005)
Yegneswaran, V., Barford, P., Jha, S.: Global Intrusion Detection in the DOMINO Overlay System. In: Proceedings of Network and Distributed System Security Symp (NDSS) (2004)
Collins, M.P., Reiter, M.K.: Hit-list worm detection and bot identification in large networks using protocol graphs. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 276–295. Springer, Heidelberg (2007)
Sarat, S., Terzis, A.: On the detection and origin identification of mobile worms. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode, WORM 2007, Alexandria, Virginia, USA, November 02, 2007, pp. 54–60. ACM, New York (2007)
WAND Network Research Group. 2000 WAND WITS: NZIX-II trace data (July 2000), http://wand.cs.waikato.ac.nz/wits/nzix/2/nzix-ii.php
Xie, Y., Sekar, V., Reiter, M.K., Zhang, H.: Forensic Analysis for Epidemic Attacks in Federated Networks. In: Proceedings of the IEEE International Conference on Network Protocols (October 2006)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet Quarantine: Requirements for Containing Self-Propagating Code. In: Proceedings of 22nd Conf. Computer Comm. (2003)
Locasto, M.E., Parekh, J., Keromytis, A.D., Stolfo, S.: Towards Collaborative Security and P2P Intrusion Detection. In: Proceedings of Sixth Ann. IEEE SMC Information Assurance Workshop (IAW), June 2005, pp. 333–339 (2005)
Weaver, N., Staniford, S., Paxson, V.: Very Fast Containment of Scanning Worms. In: Proceedings of Usenix Security Symp., pp. 29–44 (2004)
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P.: Vigilante: End-to-End Containment of Internet Worms. In: Proceedings of 20th ACM Symp. Operating Systems Principles (SOSP) (October 2005)
Wang, H.J., Guo, C., Simon, D.R., Zugenmaier, A.: Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits. In: Proceedings of 2004 ACM Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm (SIGCOMM), pp. 193–204 (2004)
Stafford, S., Li, J., Ehrenkranz, T.: Enhancing SWORD to detect 0-day-worm-infected hosts. SIMULATION: Transactions of the Society for Modeling and Simulation International 83(2), 199–212 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Xiang, Y., Li, Q., Guo, D. (2008). Online Accumulation: Reconstruction of Worm Propagation Path. In: Cao, J., Li, M., Wu, MY., Chen, J. (eds) Network and Parallel Computing. NPC 2008. Lecture Notes in Computer Science, vol 5245. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88140-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-540-88140-7_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88139-1
Online ISBN: 978-3-540-88140-7
eBook Packages: Computer ScienceComputer Science (R0)