Skip to main content
SpringerLink
Log in
Book cover

International Workshop on Recent Advances in Intrusion Detection

RAID 2010: Recent Advances in Intrusion Detection pp 38–57Cite as

Behavior-Based Worm Detectors Compared

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 6307))

Abstract

Many worm detectors have been proposed and are being deployed, but the literature does not clearly indicate which one is the best. New worms such as IKEE.B (also known as the iPhone worm) continue to present new challenges to worm detection, further raising the question of how effective our worm defenses are. In this paper, we identify six behavior-based worm detection algorithms as being potentially capable of detecting worms such as IKEE.B, and then measure their performance across a variety of environments and worm scanning behaviors, using common parameters and metrics. We show that the underlying network trace used to evaluate worm detectors significantly impacts their measured performance. An environment containing substantial gaming and file sharing traffic can cause the detectors to perform poorly. No single detector stands out as suitable for all situations. For instance, connection failure monitoring is the most effective algorithm in many environments, but it fails badly at detecting topologically aware worms.

This material is based upon work supported by the United States National Science Foundation under Grant No. CNS-0644434. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Eisenberg, T., Gries, D., Hartmanis, J., Holcomb, D., Lynn, M.S., Santoro, T.: The Cornell commission: on Morris and the worm. Communications of the ACM 32(6), 706–709 (1989)

    Article  Google Scholar 

  2. Moore, D., Shannon, C., Claffy, K.C.: Code-red: A case study on the spread and victims of an Internet worm. In: Proceedings of the ACM Internet Measurement Workshop, pp. 273–284 (2002)

    Google Scholar 

  3. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Security and Privacy 1(4), 33–39 (2003)

    Article  Google Scholar 

  4. Symantec, I.: The downadup codex. Technical report, Symantec (March 2009)

    Google Scholar 

  5. Porras, P.A., Saidi, H., Yegneswaran, V.: An analysis of the ikee.b (duh) iPhone botnet. Technical report, SRI International (December 2009)

    Google Scholar 

  6. Sekar, V., Xie, Y., Reiter, M.K., Zhang, H.: A multi-resolution approach for worm detection and containment. In: Proceedings of the International Conference on Dependable Systems and Networks (2006)

    Google Scholar 

  7. Schechter, S.E., Jung, J., Berger, A.W.: Fast detection of scanning worm infections. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection (2004)

    Google Scholar 

  8. Gu, G., Sharif, M., Qin, X., Dagon, D., Lee, W., Riley, G.: Worm detection, early warning and response based on local victim information. In: Proceedings of the Annual Computer Security Applications Conference (2004)

    Google Scholar 

  9. Liang, Z., Sekar, R.: Fast and automated generation of attack signatures: A basis for building self-protecting servers. In: Proceedings of the Conference on Computer and Communications Security (2005)

    Google Scholar 

  10. Crandall, J.R., Su, Z., Wu, S.F., Chong, F.T.: On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits. In: Proceedings of the Conference on Computer and Communications Security (2005)

    Google Scholar 

  11. Newsome, J., Song, D.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In: Proceedings of the Network and Distributed System Security Symposium (February 2005)

    Google Scholar 

  12. Tucek, J., Newsome, J., Lu, S., Huang, C., Xanthos, S., Brumley, D., Zhou, Y., Song, D.: Sweeper: A lightweight end-to-end system for defending against fast worms. In: Proceedings of the EuroSys Conference (2007)

    Google Scholar 

  13. Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of the USENIX Security Symposium, pp. 271–286 (August 2004)

    Google Scholar 

  14. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the Symposium on Operating System Design and Implementation, pp. 45–60 (2004)

    Google Scholar 

  15. Wang, K., Cretu, G., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection (2005)

    Google Scholar 

  16. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: A content anomaly detector resistant to mimicry attack. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection (2006)

    Google Scholar 

  17. Li, Z., Wang, L., Chen, Y., Fu, Z.: Network-based and attack-resilient length signature generation for zero-day polymorphic worms. In: Proceedings of the IEEE International Conference on Network Protocols, pp. 164–173 (October 2007)

    Google Scholar 

  18. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy (2005)

    Google Scholar 

  19. Mason, J., Small, S., Monrose, F., MacManus, G.: English shellcode. In: Proceedings of the Conference on Computer and Communications Security, pp. 524–533 (2009)

    Google Scholar 

  20. Jung, J., Milito, R., Paxson, V.: On the adaptive real-time detection of fast-propagating network worms. In: Proceedings of the Conference on Detection of Intrusions and Malware and Vulnerability Assessment, pp. 175–192 (July 2007)

    Google Scholar 

  21. Collins, M.P., Reiter, M.K.: Hit-list worm detection and bot identification in large networks using protocol graphs. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection, pp. 276–295 (September 2007)

    Google Scholar 

  22. Wu, J., Vangala, S., Gao, L., Kwiat, K.: An effective architecture and algorithm for detecting worms with various scan techniques. In: Proceedings of the Network and Distributed System Security Symposium (2004)

    Google Scholar 

  23. Zou, C.C., Gong, W., Towsley, D., Gao, L.: The monitoring and early detection of Internet worms. ACM Transactions on Networking (2005)

    Google Scholar 

  24. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the USENIX Security Symposium, pp. 29–44 (2004)

    Google Scholar 

  25. DETER: Cyber defense technology experiment research (DETER) network, http://www.isi.edu/deter/

  26. Stafford, S., Li, J., Ehrenkranz, T., Knickerbocker, P.: GLOWS: A high-fidelity worm simulator. Technical Report CIS-TR-2006-11, University of Oregon (2006)

    Google Scholar 

  27. LBNL/ICSI enterprise tracing project (2005), http://www.icir.org/enterprise-tracing/

  28. Group, W.N.R.: WAND WITS: Auckland-IV trace data (April 2001), http://wand.cs.waikato.ac.nz/wand/wits/auck/4/

  29. Umass trace repository, http://traces.cs.umass.edu/

  30. Collins, M.P., Reiter, M.K.: On the limits of payload-oblivious network attack detection. In: Proceedings of the Symposium on Recent Advances in Intrusion Detection, pp. 251–270 (September 2008)

    Google Scholar 

  31. Allman, M., Paxson, V., Terrell, J.: A brief history of scanning. In: Proceedings of the ACM Internet Measurement Conference, pp. 77–82 (October 2007)

    Google Scholar 

  32. Li, P., Salour, M., Su, X.: A survey of internet worm detection and containment. IEEE Communications Society Surveys and Tutorials 10(1), 20–35 (2008)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Oregon,  

    Shad Stafford & Jun Li

Authors
  1. Shad Stafford
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun Li
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Sciences Department, University of Wisconsin, 53706, Madison, WI, USA

    Somesh Jha

  2. International Computer Science Institute, 1947 Center Street, Suite 600, 94704, Berkeley, CA, USA

    Robin Sommer  & Christian Kreibich  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Stafford, S., Li, J. (2010). Behavior-Based Worm Detectors Compared . In: Jha, S., Sommer, R., Kreibich, C. (eds) Recent Advances in Intrusion Detection. RAID 2010. Lecture Notes in Computer Science, vol 6307. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15512-3_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-15512-3_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-15511-6

  • Online ISBN: 978-3-642-15512-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation