Host behaviour based early detection of worm outbreaks in Internet backbones | IEEE Conference Publication | IEEE Xplore
Subscribe
ADVANCED SEARCH
Conferences >14th IEEE International Works...

Host behaviour based early detection of worm outbreaks in Internet backbones

PDF
T. Diibendorfer; B. Plattner
All Authors

Abstract:

We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to i...Show More

Metadata

Abstract:

We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to individual hosts like ratio of outgoing to incoming traffic, responsiveness and number of connections. These properties are used to group hosts into distinct behaviour classes. We use flow-level (Cisco Net Flow) information exported by the border routers of a Swiss Internet backbone provider (AS559/SWITCH). By tracking the cardinality of each class over time and alarming on fast increases and other significant changes, we can early and reliably detect worm outbreaks. We successfully validated our method with archived flow-level traces of recent major Internet e-mail based worms such as MyDoomA and Sobig.F, and fast spreading network worms like Witty and Blaster. Our method is generic in the sense that it does not require any previous knowledge about the exploits and scanning method used by the worms. It can give a set of suspicious hosts in near real-time that have recently and drastically changed their network behaviour and hence are highly likely to be infected.
Published in: 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05)
Date of Conference: 13-15 June 2005
Date Added to IEEE Xplore: 03 January 2006
Print ISBN:0-7695-2362-5
Print ISSN: 1524-4547
DOI: 10.1109/WETICE.2005.40
Conference Location: Linköping, Sweden
References is not available for this document.
Contents

1. Introduction

As we currently approach one billion Internet users [14], more and more cyber criminals join in and misuse this worldwide network by setting free malicious worm code that infects hosts and aggressively spreads over the network. Surprisingly, many large operators of Internet backbones still do not see enough incentives for deploying security elements and for analysing their network traffic proactively in near real-time for new massive security incidents like worm outbreaks. Security in the Internet is mostly regarded as being the duty of the network users that should protect their end systems by a firewall and a virus scanner.

Select All
1.
http://www.sans.org/.
2.
V. Berk, G. Bakos, and R. Morris. Designing a Framework for Active Worm Detection on Global Networks. In Proceedings of the first IEEE International Workshop on Information Assurance (IWIA '03), March 2003, Darmstadt, Germany, Mar. 2003.
View Article
Google Scholar
3.
CERT. Advisory CA-2003-20 W32/Blaster worm, http://www.cert.org/ advisories/CA-2003-20.html, 2003.
Google Scholar
4.
CERT. Incident Note IN-2003-03 W32/Sobig.F. http://www.cert.org/ incident_notes/IN-2003-03.html, 2003.
Google Scholar
5.
CERT. Incident Note IN-2004-01. http://www.cert.org/incident_notes/IN- 2004-01.html, Jan. 2004.
Google Scholar
6.
B. Chun, J. Lee, and H. Weatherspoon. Netbait: a distributed worm detection service, http://netbait.planet-lab.org/, 2003.
Google Scholar
7.
DDoSVax - In Search of a Vaccine against DDoS Attacks. http://www.tik.ee.ethz.ch/~ddosvax/.
Google Scholar
8.
T. Dübendorfer, A. Wagner, T. Hossmann, and B. Plattner. Flow-level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone. In Proceedings of DIMVA 2005, LNCS3548, July 2005.
CrossRef Google Scholar
9.
L. Heberlein, G. Dias, K. Levitt, B. Mukherjee, J. Wood, and D. Wolber. A Network Security Monitor. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 296-304, 1990.
View Article
Google Scholar
10.
ISS. Internet Security Systems, http://www.iss.net/, 2004.
Google Scholar
11.
R. Lemos. MSBlast epidemic far larger than believed. http://news.com.com/ MSBlast+epidemic+far+larger+than+believed/2100-7349%_3-5184439.html, 2004.
12.
Microsoft Corporation. Microsoft Security Bulletin MS03-026. http://www.microsoft.com/technet/security/bulletin/MS03-02S.mspx, 2003.
13.
D. Moore. CAIDA's Network Telescope, http://www.caida.org/analysis/ security/telescope/, 2004.
Google Scholar
14.
How many online worlwide? http://www.era.ro/howmanyonline.htm, 2004.
15.
C. Schlegel and T. Dübendorfer. UPFrame - A generic open source UDP processing framework, http://www.tik.ee.ethz.ch/~ddosvax/upframe/, January 2005.
Google Scholar
16.
The Last Stage Of Delirium. Buffer Overrun in Windows RFC Interface, http://lsd-pl.net/special.html, 2004.
Google Scholar
17.
US-CERT. Vulnerability Note: Witty (VU#947254). http://www.kb.cert.org/ vuls/id/947254, 2004.

Contact IEEE to Subscribe

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.