A Fast Worm Scan Detection Tool for VPN Congestion Avoidance

Wagner, Arno; Dübendorfer, Thomas; Hiestand, Roman; Göldi, Christoph; Plattner, Bernhard

doi:10.1007/11790754_11

Arno Wagner¹⁸,
Thomas Dübendorfer¹⁸,
Roman Hiestand¹⁸,
Christoph Göldi¹⁸ &
…
Bernhard Plattner¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4064))

Included in the following conference series:

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

860 Accesses
1 Citations

Abstract

Finding the cause for congested virtual private network (VPN) links that connect an office network over the Internet to remote company sites can be a hassle. Scan traffic of worm infected hosts is one important possible cause. We developed a scan detection tool, which continuously monitors network traffic on VPN gateway(s) and that reliably detects and reports worm infected hosts by tracking anomalous TCP, UDP and ICMP traffic. Our tool is not sensitive to most P2P software and was successfully tested on real production traffic as well as with traces of captured real and simulated worm traffic. Our various tests demonstrated a low false positive rate and a high detection rate. Our open source tool is an extension to the free intrusion detection system Bro. It was developed jointly by ETH Zurich and Open Systems, a company offering managed security services, one of which is based on the presented worm scan detection tool.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Danyliw, R., Householder, A.: CERT Advisory CA-2001-19 Code Red Worm Exploiting Buffer verflow (2001), http://www.cert.org/advisories/CA-2001-19.html
US-CERT: Vulnerability Note: Witty (VU#947254) (2004), http://www.kb.cert.org/vuls/id/947254
Heberlein, L.T., Dias, G.V., Levitt, K.N., Mukherjee, B., Wood, J., Wolber, D.: A network security monitor. In: Proceedings of the IEEE Computer Society Symposium, Research in Security and Privacy, pp. 296–303 (1990)
Google Scholar
Paxson, V.: Bro: A system for detecting network intruders in real-time (1998), http://www.ece.cmu.edu/~adrian/731-sp04/readings/paxson99-bro.pdf
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)
Google Scholar
Wagner, A., Plattner, B.: Entropy Based Worm and Anomaly Detection in Fast IP Networks. In: Proceedings of 14th IEEE WET ICE / STCA security workshop. IEEE, Los Alamitos (2005)
Google Scholar
Bro intrusion detection system (2005), http://www.bro-ids.org/
Schoenwaelder, J.: syslog - write messages to the system logger (2001), http://www.infodrom.org/projects/sysklogd/
Sommers, J., Vinod Yegneswaran, P.B.: A framework for malicious workload generation (2004), http://www.cs.wisc.edu/~jsommers/pubs/p82-sommers.pdf
The freenet project - index - beginner (2005), http://www.freenetproject.org
K++ / kazaa lite 2.6.1 deutsch - mp3 download software - [mpex.net] (2005), http://www.mpex.net/software/details/kazaalite.html
Dc++ your files, your ways, no limits (2005), http://dcplusplus.sourceforge.net
Limewire.org - open source p2p file sharing (2005), http://www.limewire.org
emule-project.net - official emule site. downloads, help, docu, news (2005), http://www.emule-project.net
CERT: Security Advisory: MS.Blaster (CA-2003-20) (2004), http://www.cert.org/advisories/CA-2003-20.html
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. IEEE Security and Privacy 4(1), 33–39 (2003)
Google Scholar
Wagner, A., Dübendorfer, T., Plattner, B.: The DDoSVax project at ETH Zürich (2005), http://www.tik.ee.ethz.ch/~ddosvax/
Hiestand, R., Göldi, C.: Scan detection based identification of worm-infected hosts. Master’s thesis, ETH Zurich (2005)
Google Scholar
ETHZ: Fritz-Kutter Preis (2005), http://www.kutter-fonds.ethz.ch/preistr.html

Download references

Author information

Authors and Affiliations

Communication Systems Group, ETH Zurich, Switzerland
Arno Wagner, Thomas Dübendorfer, Roman Hiestand, Christoph Göldi & Bernhard Plattner

Authors

Arno Wagner
View author publications
You can also search for this author in PubMed Google Scholar
Thomas Dübendorfer
View author publications
You can also search for this author in PubMed Google Scholar
Roman Hiestand
View author publications
You can also search for this author in PubMed Google Scholar
Christoph Göldi
View author publications
You can also search for this author in PubMed Google Scholar
Bernhard Plattner
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

RWE AG, Opernplatz 1, 45128, Essen, Germany
Roland Büschkes
Wilhelm-Schickard-Institute for Computer Science, University of Tübingen, Tübingen, Germany
Pavel Laskov

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Wagner, A., Dübendorfer, T., Hiestand, R., Göldi, C., Plattner, B. (2006). A Fast Worm Scan Detection Tool for VPN Congestion Avoidance. In: Büschkes, R., Laskov, P. (eds) Detection of Intrusions and Malware & Vulnerability Assessment. DIMVA 2006. Lecture Notes in Computer Science, vol 4064. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11790754_11

Download citation

DOI: https://doi.org/10.1007/11790754_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-36014-8
Online ISBN: 978-3-540-36017-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics