A Multi-Resolution Approach forWorm Detection and Containment

Sekar, Vyas; Xie, Yinglian; Reiter, Michael K.; Zhang, Hui

doi:10.1109/dsn.2006.6

Cited by 36 publications

(25 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The MRW detector was first published in 2006 [6]. It is based on the observation that whereas worm scanning results in connections to many destinations, during legitimate operations the growth curve of the number of distinct destinations over time is concave.…”

Section: The Selected Worm Detectorsmentioning

confidence: 99%

“…After our exhaustive evaluation of worm detectors, we are left with the following selections: TRW [7], RBS [20], TRWRBS [20], PGD [21], DSC [8], and MRW [6]. We discuss these detectors in greater detail in the next section.…”

Section: Detector Selectionmentioning

confidence: 99%

“…Algorithms are typically published with evaluations against a single network trace, which is different for different algorithms and generally not available publicly. For example, the MRW detector was evaluated against an unidentified week-long trace of a university department with 1,133 identified hosts [6], whereas the TRW algorithm was evaluated against two traces collected at the peering link of an ISP containing 404 and 451 identified hosts [7]. Furthermore, worm detectors are evaluated with different performance metrics, and tested worms do not always follow the same set of parameters (such as scanning strategy and speed).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Behavior-Based Worm Detectors Compared

Stafford¹,

Zhang²

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Many worm detectors have been proposed and are being deployed, but the literature does not clearly indicate which one is the best. New worms such as IKEE.B (also known as the iPhone worm) continue to present new challenges to worm detection, further raising the question of how effective our worm defenses are. In this paper, we identify six behavior-based worm detection algorithms as being potentially capable of detecting worms such as IKEE.B, and then measure their performance across a variety of environments and worm scanning behaviors, using common parameters and metrics. We show that the underlying network trace used to evaluate worm detectors significantly impacts their measured performance. An environment containing substantial gaming and file sharing traffic can cause the detectors to perform poorly. No single detector stands out as suitable for all situations. For instance, connection failure monitoring is the most effective algorithm in many environments, but it fails badly at detecting topologically aware worms.

show abstract

Section: The Selected Worm Detectorsmentioning

confidence: 99%

Section: Detector Selectionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Behavior-Based Worm Detectors Compared

Stafford¹,

Zhang²

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Most existing containment schemes impose a single threshold rate on the entire host, such as several distinct IP connections per second, regardless of the application demands, thus affecting the performance of legitimate applications. Sekar et al [11] proposed use of different detection thresholds during different time windows, but they still applied these thresholds without differentiating processes on the host.…”

Section: Introductionmentioning

confidence: 99%

Containment of network worms via per-process rate-limiting

Zeng

Wang

et al. 2008

Proceedings of the 4th International Conference on Security and Privacy in Communication Netowrks

View full text Add to dashboard Cite

Network worms pose a serious threat to the Internet infrastructure as well as end-users. Various techniques have been proposed for detection of, and response against worms. A frequently-used and automated response mechanism is to rate-limit outbound worm traffic while maintaining the operation of legitimate applications, offering a gentler alternative to the usual detect-and-block approach. However, most rate-limiting schemes to date only focus on host-level network activities and impose a single threshold on the entire host, failing to (i) accommodate network-intensive applications and (ii) effectively contain network worms at the same time. To alleviate these limitations, we propose a per-process-based containment framework in each host that monitors the fine-grained runtime behavior of each process and accordingly assigns the process a suspicion level generated by a machine-learning algorithm. We have also developed a heuristic to optimally map each suspicion level to the rate-limiting threshold. The framework is shown to be effective in containing network worms and allowing the traffic of legitimate programs, achieving lower false-alarm rates.

show abstract

“…However, it was acknowledged that if the worm speed is slow enough to cause interspersed traffic throughout a large amount of normal traffic, detection with the SWORD system becomes difficult. In [3] a multi-resolution approach for worm detection was proposed to deal with the limitations of simple threshold-based detection methods. Using a number of unique destinations contacted as a basis for anomaly detection, the multi-resolution approach used different thresholds during different time windows to detect attacks of different speeds.…”

Section: Introduction and Related Workmentioning

confidence: 99%

Detection of slow malicious worms using multi-sensor data fusion

Akujobi

Lambadaris

Kranakis

2009

2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications

View full text Add to dashboard Cite

Abstract-Detection of slow worms is particularly challenging due to the stealthy nature of their propagation techniques and their ability to blend with normal traffic patterns. In this paper, we propose a distributed detection approach based on the Generalized Evidence Processing (GEP) theory, a sensor integration and data fusion technique. With GEP theory, evidence collected by distributed detectors determine the probability associated with a detection decision under a hypothesis. The collected evidence is combined to arrive at an optimal fused detection decision by minimizing a cummulative decision risk function. Typically, malicious traffic flows of varying scanning rates can occur in the wild, and the difficulty in detecting slow scanning worms in particular can be exacerbated by interference from other traffic flows scanning at faster rates. Our proposed detection technique uses a window-based self adapting profiler to filter detected malicious traffic profiles with scanning rates greater than the low scanning rates we are interested in. Experiments on a live test-bed are used to demonstrate behavior of the technique.

show abstract

A Multi-Resolution Approach forWorm Detection and Containment

Cited by 36 publications

References 15 publications

Behavior-Based Worm Detectors Compared

Behavior-Based Worm Detectors Compared

Containment of network worms via per-process rate-limiting

Detection of slow malicious worms using multi-sensor data fusion

Contact Info

Product

Resources

About