Abstract
Breaking out of network worms brings a tremendous damage to the Internet. Launch the worm defense and response can improve anti-attack capability of networks. Tracing worm propagation process after its outbreak can reconstruct not only the earliest infected nodes but also the timing order of victims been infected. Based on the improvement of existing offline worm tracing algorithm, we can realize the near real-time tracing for the propagation process of scanning worm: Network traffic data are real-time collected by the detection points from different LANs, then separated into continuous-time detection sliding windows; in every time window, we repeatedly and randomly collect paths that contain worm scanning and infected flow rate, reconstruct path of worm propagation in the current detection window. Results accumulated in sequential detection sliding windows continues doing feedback amendment, real-time reflect the process of worm propagation. we establish a virtual experimental environment of worm propagation and tracing to evaluate the algorithm. Tracing network worm propagation from the initial attack can inhibit continuous spread of the worm, ensure that no more host is infected by the worm, and provide basis for the determination of worm attack origin.
Supported by NSFC(60703023) and Seed Fund of JiLin University. Corresponding author: Qiang Li, li_qiang@jlu.edu.cn
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Wen, W.P., Qing, S.H., Jiang, J.C., Wang, Y.: Research and development of Internet worms. Journal of Software 15(8), 1208–1219 (2004)
Hernacki, B.: Emerging threats. In: Proceedings of the 2005 ACM workshop on Rapid malcode, Fairfax, VA, USA, November 2005. ACM Press, New York (2005)
Kienzle, D.M., Elder, M.C.: Recent worms: a survey and trends. In: WORM 2003: Proceedings of the 2003 ACM workshop on Rapid Malcode, pp. 1–10. ACM Press, New York (2003)
CERT. Code Red II: Another worm exploiting buffer overflow in IIS indexing service DLL (2001), http://www.cert.org/incident_notes/in-2001-09.html
Staniford, S., Paxson, V., Weaver, N.: Hwo to own the internet in your spare time. In: USENIX security Symposium, 11th. USENIX (2002)
Chen, Z.S., Gao, L.X., Kwiat, K.: Modeling the Spread of Active Worms. In: Proceedings of IEEE INFOCOM, San Francisco, CA (March 2003)
Abu Rajab, M., Monrose, F., Terzis, A.: Worm evolution tracking via timing analysis. In: Proceedings of the 2005 ACM Workshop on Rapid Malcode WORM 2005, Fairfax, VA, USA, November 11-11, 2005, pp. 52–59. ACM Press, New York (2005)
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. ACM/IEEE Transactions on Networking 9(3), 226–237 (2001)
Yaar, A., Perrig, A., Song, D.: FIT: Fast Internet Traceback. IEEE Infocom (2005)
Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proc. of 9th USENIX Security Symposium (2001)
Peng, P., Ning, P., Reeves, D.S., Wang, X.: Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets. In: ICDCS Workshops 2005, pp. 107–113 (2005)
Xie, Y., Sckar, V., Maltz, D.A., Reiter, M.K., Zhang, H.: Worm Origin Identification Using Random Moonwalks. In: Proceedings of IEEE Symposium on Security and Privacy, May 2005, pp. 242–256 (2005)
Kumar, A., Paxson, V., Weaver, N.: Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event. In: Proc. ACM IMC (October 2005)
Dike, J.: User Mode Linux, http://user-mode-linux.sourceforge.net
Jiang, X., Xu, D., Wang, H.J., Spafford, E.H.: Virtual Playgrounds for Worm Behavior Investigation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 1–21. Springer, Heidelberg (2006)
Linux Lion Worms (2001), http://www.whitehats.com/library/worms/lion/
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xiang, Y., Li, Q. (2008). Online Tracing Scanning Worm with Sliding Window. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds) Information Security and Cryptology. Inscrypt 2007. Lecture Notes in Computer Science, vol 4990. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79499-8_38
Download citation
DOI: https://doi.org/10.1007/978-3-540-79499-8_38
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-79498-1
Online ISBN: 978-3-540-79499-8
eBook Packages: Computer ScienceComputer Science (R0)