Online Tracing Scanning Worm with Sliding Window

Xiang, Yang; Li, Qiang

doi:10.1007/978-3-540-79499-8_38

Yang Xiang¹ &
Qiang Li¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4990))

Included in the following conference series:

International Conference on Information Security and Cryptology

590 Accesses
1 Citations

Abstract

Breaking out of network worms brings a tremendous damage to the Internet. Launch the worm defense and response can improve anti-attack capability of networks. Tracing worm propagation process after its outbreak can reconstruct not only the earliest infected nodes but also the timing order of victims been infected. Based on the improvement of existing offline worm tracing algorithm, we can realize the near real-time tracing for the propagation process of scanning worm: Network traffic data are real-time collected by the detection points from different LANs, then separated into continuous-time detection sliding windows; in every time window, we repeatedly and randomly collect paths that contain worm scanning and infected flow rate, reconstruct path of worm propagation in the current detection window. Results accumulated in sequential detection sliding windows continues doing feedback amendment, real-time reflect the process of worm propagation. we establish a virtual experimental environment of worm propagation and tracing to evaluate the algorithm. Tracing network worm propagation from the initial attack can inhibit continuous spread of the worm, ensure that no more host is infected by the worm, and provide basis for the determination of worm attack origin.

Supported by NSFC(60703023) and Seed Fund of JiLin University. Corresponding author: Qiang Li, li_qiang@jlu.edu.cn

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Wen, W.P., Qing, S.H., Jiang, J.C., Wang, Y.: Research and development of Internet worms. Journal of Software 15(8), 1208–1219 (2004)
MATH Google Scholar
Hernacki, B.: Emerging threats. In: Proceedings of the 2005 ACM workshop on Rapid malcode, Fairfax, VA, USA, November 2005. ACM Press, New York (2005)
Google Scholar
Kienzle, D.M., Elder, M.C.: Recent worms: a survey and trends. In: WORM 2003: Proceedings of the 2003 ACM workshop on Rapid Malcode, pp. 1–10. ACM Press, New York (2003)
Chapter Google Scholar
CERT. Code Red II: Another worm exploiting buffer overflow in IIS indexing service DLL (2001), http://www.cert.org/incident_notes/in-2001-09.html
Staniford, S., Paxson, V., Weaver, N.: Hwo to own the internet in your spare time. In: USENIX security Symposium, 11th. USENIX (2002)
Google Scholar
Chen, Z.S., Gao, L.X., Kwiat, K.: Modeling the Spread of Active Worms. In: Proceedings of IEEE INFOCOM, San Francisco, CA (March 2003)
Google Scholar
Abu Rajab, M., Monrose, F., Terzis, A.: Worm evolution tracking via timing analysis. In: Proceedings of the 2005 ACM Workshop on Rapid Malcode WORM 2005, Fairfax, VA, USA, November 11-11, 2005, pp. 52–59. ACM Press, New York (2005)
Chapter Google Scholar
Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical Network Support for IP Traceback. ACM/IEEE Transactions on Networking 9(3), 226–237 (2001)
Article Google Scholar
Yaar, A., Perrig, A., Song, D.: FIT: Fast Internet Traceback. IEEE Infocom (2005)
Google Scholar
Zhang, Y., Paxson, V.: Detecting Stepping Stones. In: Proc. of 9th USENIX Security Symposium (2001)
Google Scholar
Peng, P., Ning, P., Reeves, D.S., Wang, X.: Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets. In: ICDCS Workshops 2005, pp. 107–113 (2005)
Google Scholar
Xie, Y., Sckar, V., Maltz, D.A., Reiter, M.K., Zhang, H.: Worm Origin Identification Using Random Moonwalks. In: Proceedings of IEEE Symposium on Security and Privacy, May 2005, pp. 242–256 (2005)
Google Scholar
Kumar, A., Paxson, V., Weaver, N.: Exploiting Underlying Structure for Detailed Reconstruction of an Internet Scale Event. In: Proc. ACM IMC (October 2005)
Google Scholar
Dike, J.: User Mode Linux, http://user-mode-linux.sourceforge.net
Jiang, X., Xu, D., Wang, H.J., Spafford, E.H.: Virtual Playgrounds for Worm Behavior Investigation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 1–21. Springer, Heidelberg (2006)
Chapter Google Scholar
Linux Lion Worms (2001), http://www.whitehats.com/library/worms/lion/

Download references

Author information

Authors and Affiliations

College of Computer Science and Technology, JiLin University, ChangChun, JiLin, 130012, China
Yang Xiang & Qiang Li

Authors

Yang Xiang
View author publications
You can also search for this author in PubMed Google Scholar
Qiang Li
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Dingyi Pei Moti Yung Dongdai Lin Chuankun Wu

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Xiang, Y., Li, Q. (2008). Online Tracing Scanning Worm with Sliding Window. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds) Information Security and Cryptology. Inscrypt 2007. Lecture Notes in Computer Science, vol 4990. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79499-8_38

Download citation

DOI: https://doi.org/10.1007/978-3-540-79499-8_38
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-79498-1
Online ISBN: 978-3-540-79499-8
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics