Proceedings Article10.1145/1103626.1103637
Worm evolution tracking via timing analysis
Moheeb Abu Rajab,Fabian Monrose,Andreas Terzis +2 more
- 11 Nov 2005
- pp 52-59
TL;DR: The mechanism is resilient to varying parameters like the worm scanning rate and the size of the vulnerable population, and can provide significant insights into the characteristics of the hit-list even under spreading dynamics that exceed that of currently known worms.
read more
Abstract: We present a technique to infer a worm's infection sequence from traffic traces collected at a network telescope. We analyze the fidelity of the infection evolution as inferred by our technique, and explore its effectiveness under varying constraints including the scanning rate of the worm, the size of the vulnerable population, and the size of the telescope itself. Moreover, we provide guidance regarding the point at which our method's accuracy diminishes beyond practical value. As we show empirically, this point is reached well after a few hundred initial infected hosts (possibly including "patient zero'') has been reliably identified with more than 80% accuracy. We generalize our mechanism by exploiting the change in the pattern of inter-arrival times exhibited during the early stages of such an outbreak to detect the presence and approximate size of the hit-list. Our mechanism is resilient to varying parameters like the worm scanning rate and the size of the vulnerable population, and can provide significant insights into the characteristics of the hit-list even under spreading dynamics that exceed that of currently known worms. Lastly, to illustrate the practicality of our solution, we apply our approach to real-world traces of the Witty worm and provide a refined estimate on the previously suspected hit-list size.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization
Claude Fachkha,Mourad Debbabi +1 more
TL;DR: A survey on darknet finds that Honeyd is probably the most practical tool to implement darknet sensors, and future deployment of darknet will include mobile-based VOIP technology, and specific darknet areas that require a significantly greater amount of attention from the research community are identified.
133
An analysis of the witty outbreak: exploiting underlying structure for detailed reconstruction of an internet-scale event
Vern Paxson
- 11 Nov 2005
TL;DR: It is shown that by carefully exploiting the structure of the worm, especially its pseudo-random number generation, from limited and imperfect telescope data, this work can with high fidelity extract the individual rate at which each infectee injected packets into the network prior to loss.
68
Forensic Analysis for Epidemic Attacks in Federated Networks
Yinglian Xie,Vyas Sekar,Michael K. Reiter,Hui Zhang +3 more
- 12 Nov 2006
TL;DR: It is demonstrated that it is feasible for large-scale attack investigation to be incrementally deployed in an Internet-like federation and by sharing local investigation results, ADs can achieve global investigative capabilities that are comparable to a centralized implementation with access to global traffic records.
Predictive Network Anomaly Detection and Visualization
TL;DR: A novel approach to anomaly estimation based on the well-known Fisher linear discriminant (FLD) that uses short-term observations of network features and their respective time averaged entropies and empirically determines that these network features obey Gaussian-like distributions.
44
On the impact of dynamic addressing on malware propagation
Moheeb Abu Rajab,Fabian Monrose,Andreas Terzis +2 more
- 03 Nov 2006
TL;DR: This work presents a model that can be used to understand the impact of varying levels of NAT deployment on malware that spread by preferentially scanning the IP space and shows that NATting impedes malware propagation in several ways and can have a significant impact on non-uniform scanning worms.
References
The Mathematics of Infectious Diseases
TL;DR: Threshold theorems involving the basic reproduction number, the contact number, and the replacement number $R$ are reviewed for classic SIR epidemic and endemic models and results with new expressions for $R_{0}$ are obtained for MSEIR and SEIR endemic models with either continuous age or age groups.
7.1K
•Proceedings Article
Inferring internet denial-of-service activity
David Moore,Geoffrey M. Voelker,Stefan Savage +2 more
- 13 Aug 2001
TL;DR: This article presents a new technique, called “backscatter analysis,” that provides a conservative estimate of worldwide denial-of-service activity, and believes it is the first to provide quantitative estimates of Internet-wide denial- of- service activity.
1.4K
•Proceedings Article
How to Own the Internet in Your Spare Time
Stuart Staniford,Vern Paxson,Nicholas Weaver +2 more
- 05 Aug 2002
TL;DR: This work develops and evaluates several new, highly virulent possible techniques: hit-list scanning, permutation scanning, self-coordinating scanning, and use of Internet-sized hit-lists (which creates a flash worm).
Inferring Internet denial-of-service activity
TL;DR: In this paper, the authors present a new technique, called backscatter analysis, that provides a conservative estimate of worldwide denial-of-service activity, and quantitatively assess the number, duration and focus of attacks, and qualitatively characterize their behavior.
Code-Red: a case study on the spread and victims of an internet worm
David Moore,Colleen Shannon,kc claffy +2 more
- 06 Nov 2002
TL;DR: The experience of the Code-Red worm demonstrates that wide-spread vulnerabilities in Internet hosts can be exploited quickly and dramatically, and that techniques other than host patching are required to mitigate Internet worms.
942
Related Papers (5)
Stuart Staniford,Vern Paxson,Nicholas Weaver +2 more
- 05 Aug 2002
Zesheng Chen,Chao Chen,Chuanyi Ji +2 more
- 11 Apr 2007