Abstract
P2P worm exploits common vulnerabilities and spreads through peer-to-peer networks. Despite being recognized as a potential and deadly threat to the Internet recently, few relevant countermeasures are found in extant literature. Once it breaks out, a P2P worm could result in unpredictable losses. Based on propagation characteristics of the worm, this paper presents a detection method called PWD (P2P Worm Detection), which is designed based on application identification and unknown worm detection. Simulation result and LAN-environment experiment result both indicate that PWD is an effective method to detect and block P2P worms.
Similar content being viewed by others
References
Moore D, Hebeler J. Peer-to-Peer. Osborne: McGraw-Hill, 2001
Staniford S, Paxson V, Weaver N. How to own the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, 2002, 149–167
Joukov N, Chiueh T. Internet worms as internet-wide threat. Technical Report. Stony Brook University, 2003
Zhou L, Zhang L, McSherry F., et al. A first look at Peer-to-Peer worms: threats and defenses. In: Proceeding of IPTPS 2005
Kannan J, Lakshminarayanan K. Implications of Peer-to-Peer networks on worm attacks and defenses, 2004. http://www.cs.berkeley.edu/:_kubitron/courses/cs294-4-F03/projects/karthik_jayanth.pdf
Xia C H, Shi Y P, Li X J. Research on propagation models of P2P worm in structured Peer-to-Peer networks. Chin J Comput (In press)
Staniford S. Containment of scanning worms in enterprise networks Comput. Secur, 2004, 35–58
Jung J, Paxson V, Berger A W, et al. Fast portscan detection using sequential hypothesis testing. In: Proceedings of 2004 IEEE Symposium on Security and Privacy, 2004, 211–225
Levin J, LaBella R, Owen H, et al. The use of Honeynets to detect exploited systems across large enterprise networks. In: Proceedings of the 2003 IEEE Workshop on Information Assurance, June 2003, 92–99
George W D, Samuel T K, Sukru C, et al. ReVirt: Enabling intrusion analysis through virtual-machine logging and replay. In: Proceedings of the 2002 Symposium on Operating Systems Design and Implementation, Boston, 2002, 277–309
Provos N A. Virtual honeypot framework, Proceedings of 13th USENIX Security Symposium, San Diego, CA, 2004, 1–14
Cisco Systems, Inc. Cisco security agent ROI: deploying intrusion protection agents on the endpoint, Whitepaper
Rabek J C, Khazan R I, Lewandowski S M, et al. Detection of injected, dynamically generated, and obfuscated malicious Code. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, 2003, 76–82
Wang H J, Guo C, Simon D R, et al. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. In: Proceedings of the ACM SIGCOMM Conference, 2004, 193–204
Kreibich C, Crowcroft J. Honeycomb in creating intrusion detection signatures using Honeypots. ACM SIGCOMM Comput Commun Rev, 2004, 34(1): 51–56
Kim K A, Karp B. Autograph: toward automated distributed worm signature detection. In: Proceedings of the USENIX Security Symposium, 2004, 271–286
Singh S, Estan C, Varghese G, et al. The EarlyBird system for real-time detection of unknown worms. Technical Report CS2003-0761, CSE Department, UCSD, 2003
Singh S, Estan C, Varghese G, et al. Automated worm fingerprinting. In: Proceedings of OSDI’04, 2004, 45–60
Rabin M O. Fingerprinting by random polynomials. Technical Report 15–81. Center for Research in Computing Technology, Harvard University, 1981
Moore D, Keys K, Koga R, et al. CoralReef software suite as a tool for system and network administrators. In: Proceedings of the LISA 2001 15th Systems Administration Conference, 2001, 133–144
Fraleigh, C, Moon S, Lyles B, et al. Packet-level traffic measurements from the sprint IP backbone. IEEE Network, 2003, 17(6): 6–16
Moore A W, Papagiannaki K. Toward the accurate identification of network applications. In: Proceedings of Passive & Active Measurement Workshop 2005 (PAM2005), Boston, MA, 2005, 41–54
Kim M S, Won Y J, Hong J W. Application-Level traffic monitoring and an analysis on IP networks. ETRI J., 2005, 27(1): 22–42
Choi T, Kim C, Yoon S, et al. Content-aware Internet application traffic measurement and analysis. In: Proceedings of IEEE/IFIP Network Operations & Management Symposium (NOMS), 2004
Krishnamurthy B, Wang J, Xie Y. Early measurements of a cluster-based architecture for P2P systems. In: Proceedings of ACM Sigcomm Internet Measurement Workshop, 2001, 105–109
Sen S, Wang J. Analyzing Peer-to-Peer traffic across large networks. In: Proceedings of ACM/IEEE Transactions on Networking, 2004, 219–232
Sen S, Spatscheck O, Wang D M. Accurate, scalable innetwork identification of P2P traffic using application signatures. In: Proceedings of the 13th International Conference on World Wide Web, New York, 2004, 512–521
Karagiannis T, Broido A, Faloutsos M, et al. Transport layer identification of p2p traffic In: Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference (IMC 2004), Italy, 2004, 121–134
Myserson R B. Game Theory: Analysis of Conflict. Cambridge and London: Harvard University Press, 1997
Stoica I, Morris R, Karger D, et al. Chord: a scalable peer-to-peer lookup service for Internet applications In: Proceedings of ACM SIGCOMM, 2001, 149–160
Author information
Authors and Affiliations
Corresponding author
Additional information
Translated from Journal of Beijing University of Aeronautics and Astronautics, 2006, 32(8): 998–1002 [译自: 北京航空航天大学学报]
Rights and permissions
About this article
Cite this article
Xia, C., Shi, Y., Li, X. et al. P2P worm detection based on application identification. Front. Comput. Sc. China 1, 114–122 (2007). https://doi.org/10.1007/s11704-007-0010-7
Issue Date:
DOI: https://doi.org/10.1007/s11704-007-0010-7