Abstract
As a vast number of services have been flooding into the Internet, it is more likely for the Internet resources to be exposed to various hacking activities such as Code Red and SQL Slammer worm. Since various worms quickly spread over the Internet using self-propagation mechanism, it is crucial to detect worm propagation and protect them for secure network infrastructure. In this paper, we propose a mechanism to detect worm propagation using the computation of entropy of network traffic and the compilation of network traffic. In experiments, we tested our framework in simulated network settings and could successfully detect worm propagation.
This work has been supported by the Korea Research Foundation under grant KRF-2003-041-D20465, and by the KISTEP under National Research Laboratory program.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Berk, V.H., et al.: Using Sensor Networks and Data Fusion for Early Detection of Active Worms. SPIE AeroSense (2003)
Clark, P., Niblett, T.: The CN2 Induction Algorithm. Machine Learning Journal 3, 261–283 (1989)
Danyliw, R., Householder, A.: CERT Advisory CA-2001-19 “Code Red” Worm Exploiting Buffer Overflow in IIS Indexing Service DLL. CERT Coordination Center (2001)
Gray, R.M.: Entropy and Information Theory, pp. 39–40. Springer, Heidelberg (1990)
Hanson, R., Stutz, J., Cheeseman, P.: Bayesian Classification Theory. Technical Report FIA-90-12-7-01, NASA Ames Research Center, AI Branch (1991)
Holder, L.: ML v2.0: Machine Learning Program Evaluator. available on-line: http://www-cse.uta.edu/~holder/ftp/ml2.0.tar.gz
Houle, J.K., Weaver, M.G.: Trends in Denial of Service Attack Technology. CERT Coordination Center (2001)
Lan, K., et al.: Effect of Malicious Traffic on the Network. PAM (2003)
Lawrence Berkeley National Labs Network Research Group.: libpcap. available on-line: http://ftp.ee.lbl.gov
Moore, D., et al.: The Spread of the Sapphire/Slammer Worm (2003), available on-line: http://www.cs.berkeley.edu/~nweaver/sapphire/
Noh, S., et al.: Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning. In: Liu, J., Cheung, Y.-m., Yin, H. (eds.) IDEAL 2003. LNCS, vol. 2690, pp. 286–295. Springer, Heidelberg (2003)
Quinlan, J.R.: C4.5: Programs for Machine Learning. Morgan Kaufmann, San Francisco (1993)
Standard Performance Evaluation Corporation: SPECweb 1999, Benchmark (1999), available online: http://www.spec.org/osg/web99
Toth, T., Kruegel, C.: Connection-history based Anomaly Detection. In: The 2002 IEEE Workshop on Information Assurance and Security (2002)
Valdes, A.: Entropy Characteristics of Propagating Internet Phenomena. In: The Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection (2003)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Noh, S., Lee, C., Ryu, K., Choi, K., Jung, G. (2004). Detecting Worm Propagation Using Traffic Concentration Analysis and Inductive Learning. In: Yang, Z.R., Yin, H., Everson, R.M. (eds) Intelligent Data Engineering and Automated Learning – IDEAL 2004. IDEAL 2004. Lecture Notes in Computer Science, vol 3177. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-28651-6_59
Download citation
DOI: https://doi.org/10.1007/978-3-540-28651-6_59
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-22881-3
Online ISBN: 978-3-540-28651-6
eBook Packages: Springer Book Archive