Host behaviour based early detection of worm outbreaks in Internet backbones | IEEE Conference Publication | IEEE Xplore

Host behaviour based early detection of worm outbreaks in Internet backbones


Abstract:

We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to i...Show More

Abstract:

We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to individual hosts like ratio of outgoing to incoming traffic, responsiveness and number of connections. These properties are used to group hosts into distinct behaviour classes. We use flow-level (Cisco Net Flow) information exported by the border routers of a Swiss Internet backbone provider (AS559/SWITCH). By tracking the cardinality of each class over time and alarming on fast increases and other significant changes, we can early and reliably detect worm outbreaks. We successfully validated our method with archived flow-level traces of recent major Internet e-mail based worms such as MyDoomA and Sobig.F, and fast spreading network worms like Witty and Blaster. Our method is generic in the sense that it does not require any previous knowledge about the exploits and scanning method used by the worms. It can give a set of suspicious hosts in near real-time that have recently and drastically changed their network behaviour and hence are highly likely to be infected.
Date of Conference: 13-15 June 2005
Date Added to IEEE Xplore: 03 January 2006
Print ISBN:0-7695-2362-5
Print ISSN: 1524-4547
Conference Location: Linköping, Sweden
References is not available for this document.

1. Introduction

As we currently approach one billion Internet users [14], more and more cyber criminals join in and misuse this worldwide network by setting free malicious worm code that infects hosts and aggressively spreads over the network. Surprisingly, many large operators of Internet backbones still do not see enough incentives for deploying security elements and for analysing their network traffic proactively in near real-time for new massive security incidents like worm outbreaks. Security in the Internet is mostly regarded as being the duty of the network users that should protect their end systems by a firewall and a virus scanner.

Select All
1.
http://www.sans.org/.
2.
V. Berk, G. Bakos, and R. Morris. Designing a Framework for Active Worm Detection on Global Networks. In Proceedings of the first IEEE International Workshop on Information Assurance (IWIA '03), March 2003, Darmstadt, Germany, Mar. 2003.
3.
CERT. Advisory CA-2003-20 W32/Blaster worm, http://www.cert.org/ advisories/CA-2003-20.html, 2003.
4.
CERT. Incident Note IN-2003-03 W32/Sobig.F. http://www.cert.org/ incident_notes/IN-2003-03.html, 2003.
5.
CERT. Incident Note IN-2004-01. http://www.cert.org/incident_notes/IN- 2004-01.html, Jan. 2004.
6.
B. Chun, J. Lee, and H. Weatherspoon. Netbait: a distributed worm detection service, http://netbait.planet-lab.org/, 2003.
7.
DDoSVax - In Search of a Vaccine against DDoS Attacks. http://www.tik.ee.ethz.ch/~ddosvax/.
8.
T. Dübendorfer, A. Wagner, T. Hossmann, and B. Plattner. Flow-level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone. In Proceedings of DIMVA 2005, LNCS3548, July 2005.
9.
L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, J. Wood, and D. Wolber. A Network Security Monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 296-304, 1990.
10.
ISS. Internet Security Systems, http://www.iss.net/, 2004.
11.
R. Lemos. MSBlast epidemic far larger than believed. http://news.com.com/ MSBlast+epidemic+far+larger+than+believed/2100-7349%_3-5184439.html, 2004.
12.
Microsoft Corporation. Microsoft Security Bulletin MS03-026. http://www.microsoft.com/technet/security/bulletin/MS03-02S.mspx, 2003.
13.
D. Moore. CAIDA's Network Telescope, http://www.caida.org/analysis/ security/telescope/, 2004.
14.
How many online worlwide? http://www.era.ro/howmanyonline.htm, 2004.
15.
C. Schlegel and T. Dübendorfer. UPFrame - A generic open source UDP processing framework, http://www.tik.ee.ethz.ch/~ddosvax/upframe/, January 2005.
16.
The Last Stage Of Delirium. Buffer Overrun in Windows RFC Interface, http://lsd-pl.net/special.html, 2004.
17.
US-CERT. Vulnerability Note: Witty (VU#947254). http://www.kb.cert.org/ vuls/id/947254, 2004.

Contact IEEE to Subscribe

References

References is not available for this document.