Skip to main content
SpringerLink
Log in

vEye: behavioral footprinting for self-propagating worm detection and profiling

  • Regular Paper
  • Published:
Knowledge and Information Systems Aims and scope Submit manuscript

Abstract

With unprecedented speed, virulence, and sophistication, self-propagating worms remain as one of the most severe threats to information systems and Internet in general. In order to mitigate the threat, efficient mechanisms are needed to accurately profile and detect the worms before or during their outbreaks. Particularly, deriving a worm’s unique signatures, or fingerprints, is of the first priority to achieve this goal. One of the most popular approaches is to use content-based signatures, which characterize a worm by extracting its unique information payload. In practice, such content-based signatures, unfortunately, suffer from numerous disadvantages, such as vulnerable to content mutation attacks or not applicable for polymorphic worms. In this paper, we propose a new behavioral footprinting (BF) approach that nicely complements the state-of-the-art content-based signature approaches and allows users to detect and profile self-propagating worms from the unique worm behavioral perspective. More specifically, our behavioral footprinting method uniquely captures a worm’s dynamic infection sequences (e.g., probing, exploitation, and replication) by modeling each interaction step as a behavior phenotype and denoting a complete infection process as a chained sequence. We argue that a self-propagating worm’s inherent behaviors or infection patterns can be detected and characterized by using sequence alignment tools, where patterns shared by the infection sequences will imply the behavioral footprints of the worm. A systematic platform called vEye has been built to validate the proposed design with either “live” or historical worms, where a number of real-world infection sequences are used to build worm behavioral footprints. Experimental comparisons with existing content-based fingerprints will demonstrate the uniqueness and effectiveness of the proposed behavior footprints in self-propagating worm detection and profiling.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Agobot Backdoor. http://www.viruslist.com/en/viruses/encyclopedia?virusid=42101

  2. Arbor Networks: PeakFlow X. http://www.arbornetworks.com/products_x.php

  3. Bailey M, Cooke E, Jahanian F, Nazario J, Watson D (2005) The Internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of the 12th network and distributed system security symposium (NDSS), San Diego, CA, February 2005

  4. Bailey M, Cooke E, Watson D, Jahanian F, Provos N (2004) A hybrid honeypot architecture for scalable network monitoring. CSE Technical Report CSE-TR-499-04. University of Michigan, Ann Arbor

  5. Barbara D, Jajodia S (2005) Applications of data mining in computer sceurity. Springer, New York

    Google Scholar 

  6. Bo C, Fang B-X, Yun X-C (2005) A new approach for early detection of internet worms based on connection degree. In: Proceedings of 2005 international conference on machine learning and cybernetics, August 2005

  7. Brodley CE, Chan P (2003) Tutorial: Data mining for computer security. In: Proceedings of the ACM SIGKDD Conference, August 2003

  8. Dagon D, Qin X, Gu G, Lee W, Grizzard J, Levine J, Owen H (2004) HoneyStat: local worm detection using honeypots. In: Proceedings of the 7th international symposium on recent advances in intrusion detection (RAID 2004), Sophia Antipolis, French Riviera, France, September 2004

  9. Dike J User mode Linux. http://user-mode-linux.sourceforge.net

  10. Durbin R, Eddy S, Krogh A (1998) Biological sequence analysis. Cambridge University Press, London. ISBN: 0521629713, 1998

  11. Ellis DR, Aiken JG, Attwood KS, Tenaglia SD (2004) A behavioral approach to worm detection. In: Proceedings of the 2004 ACM workshop on Rapid malcode, October 2004

  12. Estan C, Savage S, Varghese G (2003) Automatically inferring patterns of resource consumption in network traffic. In: Proceedings of the ACM SIGCOMM conference, Karlsruhe, Germany, August 2003

  13. Gu G, Sharif M, Qin X, Dagon D, Lee W, Riley G (2004) Worm detection, early warning and response based on local victim information. In: Proceedings of the 20th annual computer security applications conference (ACSAC’04), December 2004

  14. Jiang X, Xu D (2004) Collapsar: a VM-based architecture for network attack detention center. In: Proceedings of the 13th USENIX security symposium, August 2004

  15. Jiang X, Xu D, Wang HJ, Spafford EH (2005) Virtual playgrounds for worm behavior investigation. In: Proceedings of the 8th RAID, Seattle, USA, September 2005

  16. Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Proceedings of IEEE symposium on security and privacy, Oakland, CA, May 2004

  17. Kephart JO, Arnold WC (1994) Automatic extraction of computer virus signatures. In: Proceedings of the 4th international virus bulletin conference, September 1994

  18. Kim HA, Karp B (2004) Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th usenix security symposium (Security 2004), San Diego, CA, August 2004

  19. Kolesnikov O, Lee W Advanced polymorphic worms: evading IDS by blending in with normal traffic. http://www.cc.gatech.edu/~ok/w/ok_pw.pdf

  20. Kreibich C, Crowcroft J (2004) Honeycomb: creating intrusion detection signatures using honeypots. In: ACM SIGCOMM computer communication review

  21. Lee W, Stolfo SJ, Mok K (1999) A data mining framework for building intrusion detection models. In: Proceedings of the IEEE symposium on security and privacy, 1999

  22. Linux Lion Worms. http://www.whitehats.com/library/worms/lion. Accessed 2001

  23. MSBlaster Worms. CERT advisory CA-2003-20 W32/Blaster worms. http://www.cert.org/advisories/CA-2003-20.htm. Accessed August 2003

  24. Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) The spread of the Sapphire/Slammer worm. IEEE Secur Priv 1(4): 33–

    Article  Google Scholar 

  25. Moore D, Shannon C, Brown J (2002) Code-Red: a case study on the spread and victims of an internet worm. In: Proceedings of the ACM internet measurement workshop, November 2002

  26. Moore D, Voelker G, Savage S (2001) Inferring Internet denial-of-service activity. In: Proceedings of the 10th USENIX security symposium, August 2001

  27. Moore D (2002) Network telescopes: observing small or distant security events. In: Proceedings of the 11th USENIX security symposium, August 2002

  28. Mukkamala S, Janoski G, Sung A (2002) Intrusion detection using neural networks and support vector machines. In: Proceedings of IEEE international joint conference on neural networks, May 2002

  29. Newsome J, Karp B, Song D (2005) Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE symposium on security and privacy, May 2005

  30. Newsome J, Karp B, Song D (2006) Paragraph: thwarting signature learning by training maliciously. In: Proceedings of the 9th international symposium on recent advances in intrusion detection (RAID 2006), Hamburg, Germany, September 2006

  31. Nyhan WL (1972) Behavioral phenotypes in organic genetic disease. Pediatr Res 6: 1–

    Article  Google Scholar 

  32. Otey M, Parthasarathy S, Ghoting A, Li G, Narravula S, Panda D (2003) Towards NIC-based intrusion detection. In: Proceedings of the 2004 ACM KDD conference, 2003

  33. Pei J, Upadhyaya S (2004) Tutorial: data mining for intrusion detection, techniques, applications, and systems. In: Proceedings of the IEEE international conference on data engineering, March 2004

  34. Perdisci R, Dagon D, Lee W, Fogla P, Sharif M (2006) Misleading worm signature generators using deliberate noise injection. In: Proceedings of the 2006 IEEE symposium on security and privacy, May 2006

  35. Perriot F, Szor P An analysis of the Slapper worm exploit. Symantec White Paper. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf

  36. Provos N (2004) A virtual honeypot framework. In: Proceedings of the 13th USENIX security symposium, August 2004

  37. Rajab MA, Monrose F, Terzis A (2005) A behavioral approach to worm detection. In: Proceedings of the 2005 ACM workshop on rapid malcode, November 2005

  38. Sekar R, Gupta A, Frullo J, Shanbhag T, Tiwari A, Yang H, Zhou S (2002) Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of 9th ACM conference on computer and communications security, October 2002

  39. Singh S, Estan C, Varghese G, Savage S (2004) Automated worm fingerprinting. In: Proceedings of the ACM/USENIX symposium on operating system design and implementation, San Francisco, CA, December 2004

  40. Sommer R, Paxson V (2003) Enhancing byte-level network intrusion detection signatures with context. In: Proceedings of 9th ACM conference on computer and communications security, October 2003

  41. Spitzner L (2003) Honeytokens: the other honeypot. http://www.securityfocus.com/infocus/171. Accessed July 2003

  42. Sundararaj A, Dinda P (2004) Towards virtual networks for virtual machine grid computing. In: Proceedings of the third USENIX virtual machine technology symposium (VM 2004), August 2004

  43. Sasser Worms. http://www.microsoft.com/security/incident/sasser.as. Accessed May 2004

  44. Snort-inline. http://sourceforge.net/projects/snort-inline/

  45. The DETER Project. http://www.isi.edu/deter/

  46. The Honeynet Project. http://www.honeynet.org

  47. Touch J (2000) Dynamic Internet overlay deployment and management Using the X-Bone. In: Procedings of IEEE ICNP 2000, November 2000

  48. Venkataraman S, Blum A, Song D (2008) Limits of learning-based signature generation with adversaries. In: Proceedings of the 15th network and distributed security symposium (NDSS 2008), San Diego, February 2008

  49. Vigna G, Robertson W, Balzarotti D (2004) Testing intrusion detection signatures using mutant exploits. In: Proceedings of the ACM conference on computer and communication security (ACM CCS) 21–30 Washington, DC, October 2004

  50. Vrable M, Ma J, Chen J, Moore D, Vandekieft E, Snoeren AC, Voelker GM, Savage S (2005) Scalability, fidelity and containment in the potemkin virtual honeyfarm. In: Proceedings of the 20th ACM symposium on operating systems principles, October 2005

  51. VMware. http://www.vmware.com/

  52. Welchia Worm. http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.htm. Accessed August 2003

  53. Wang HJ, Guo C, Simon DR, Zugenmaier A (2004) Shield: vulnerability-driven network filters for preventing known vulnerability exploits. SIGCOMM 2004, September 2004

  54. Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Proceedings of the 7th international symposium on recent advances in intrusion detection (RAID 2004), Sophia Antipolis, French Riviera, France, September 2004

  55. Whalley I, Arnold B, Chess D, Morar J, Segal A (2000) An environment for controlled worm replication and analysis (Internet-inna-Box). In: Proceedings of virus bulletin conference, September 2000

  56. Yegneswaran V, Barford P, Jha S (2004) Global intrusion detection in the DOMINO overlay system. In: Proceedings of network and distributed security symposium (NDSS), San Diego, February 2004

  57. Yegneswaran V, Barford P, Plonka D (2004) On the design and use of internet sinks for network abuse monitoring. In: Proceedings of 7th international symposium on recent advances in intrusion detection, September 2004

  58. Zanero S, Savaresi SM (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on applied computing, March 2004

  59. Zeltser L (2001) Reverse-Engineering Malware. http://www.zeltser.com/reverse-malware-paper

  60. Zhu X, Wu X (2007) Mining complex patterns across sequences with gap requirements. In: Proceedings of the twentieth international joint conference on artificial intelligence, January 2007

  61. Zou CC, Gong W, Towsley D (2002) Code red worm propagation modeling and analysis. In: Proceedings of 9th ACM conference on computer and communications security, October 2002

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, George Mason University, Fairfax, VA, 22030, USA

    Xuxian Jiang

  2. Department of Computer Science and Engineering, Florida Atlantic University, Boca Raton, FL, 33431, USA

    Xingquan Zhu

Authors
  1. Xuxian Jiang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xingquan Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xingquan Zhu.

Additional information

A preliminary version of this paper was published in the Proceedings of the 4th ACM Workshop on Recurring Malcode (WORM 2006), Fairfax, VA, 2006. This research has been supported by the National Science Foundation (NSF) under Grant No. CNS-0716376 and National Science Foundation of China (NSFC) under Grant No. 60674109.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Jiang, X., Zhu, X. vEye: behavioral footprinting for self-propagating worm detection and profiling. Knowl Inf Syst 18, 231–262 (2009). https://doi.org/10.1007/s10115-008-0137-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10115-008-0137-3

Keywords

Search

Navigation