Abstract
We present a monitoring system which detects repeated packets in network traffic, and has applications including detecting computer worms. It uses Bloom filters with counters. The system analyzes traffic in routers of a network. Our preliminary evaluation of the system involved traffic from our internal lab and a well known historical data set. After appropriate configuration, no false alarms are obtained under these data sets and we expect low false alarm rates are possible in many network environments. We also conduct simulations using real Internet Service Provider topologies with realistic link delays and simulated traffic. These simulations confirm that this approach can detect worms at early stages of propagation. We believe our approach, with minor adaptations, is of independent interest for use in a number of network applications which benefit from detecting repeated packets, beyond detecting worm propagation. These include detecting network anomalies such as dangerous traffic fluctuations, abusive use of certain services, and some distributed denial-of-service attacks.
Similar content being viewed by others
References
Anderson, T., Mahajan, R., Spring, N., Wetherall, D.: Rocketfuel: An ISP topology mapping engine (2003). http://www.cs.washington.edu/research/networking/rocketfuel/ [Accessed: August 2, 2003]
Barbour, A., Holst, L., Janson, S.: Poisson Approximation. Oxford University Press, New York (1992)
Bertsekas, D., Gallager, R.: Data Networks. Prentice Hall, Englewood Cliffs, NJ (1992)
Bloom, B.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(17), 422–426 (1970)
Boutsikas, M., Koutras, M.: On the number of overflown urns and excess balls in an allocation model with limited urn capacity. Stat. Plan. Inference 104, 259–286 (2002)
Broder, A., Kumar, R., Maghoul, F., Raghavan, P., Rajagopalan, S., Stata, R., Tomkins, A., Wiener, J.: Graph structure in the Web. Newblock Comput. Netw. 33(1–6), 309–320 (2000)
Broder, A., Mitzenmacher, M.: Network applications of Bloom filters: A survey. Internet Math. 1(4), 485–509 (2003–2004)
CERIAS Intrusion Detection Research Group, T.: Digging for worms, fishing for answers. In: Proceedings of the Annual Computer Security Application Conference (ACSAC'02). Las Vegas (2002)
Chen, X., Heidemann, J.: Detecting early worm propagation through packet matching. Tech. Rep. ISI-TR-2004-585, University of Southern California (2004)
Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 2nd edn. MIT Press, McGraw-Hill, New York (2001)
Crosby, S., Wallach, D.: Denial of service via algorithmic complexity attacks. In: Proceedings of the 12th USENIX Security Symposium. Washington, DC (2003)
Daley, D., Gani, J.: Epidemic Modelling: An Introduction. Cambridge University Press, Cambridge, UK (1999)
Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel Bloom filters. In: Symposium on High Performance Interconnects (HotI), pp. 44–51. Stanford, CA (2003)
Dharmapurikar, S., Krishnamurthy, P., Taylor, D.: Longest prefix matching using Bloom filters. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'03), pp. 201–212. Karlsruhe, Germany (2003)
Dharmapurikar, S., Paxson, V.: Robust TCP stream reassembly in the presence of adversaries. In: Proceedings of the 14th USENIX Security Symposium. Baltimore (2005)
Faloutsos, M., Faloutsos, P., Faloutsos, C.: On power-law relationships of the Internet topology. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'99), pp. 251–262. Boston/Cambridge, MA (1999)
Fan, L., Cao, P., Almeida, J., Broder, A.: Summary cache: A scalable wide-area Web cache sharing protocol. IEEE/ACM Trans. Netw. 8(3), 281–293 (2000)
Feller, W.: An Introduction to Probability Theory and its Applications, vol. 1, 3rd edn. Wiley, New York (1968)
Fyodor: The art of port scanning. Phrack Mag. 7(51) (1997). URL: http://www.phrack.org [Accessed: March 6, 2003]
Garey, M., Johnson, D.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)
Goh, E.J.: Secure indexes. Cryptology ePrint Archive, Report 2003/216 (2003). URL: http://eprint.iacr.org/2003/216/ [Accessed: January 7, 2004]
Grembowski, T., Lien, R., Gaj, K., Nguyen, N., Bellows, P., Flidr, J., Lehman, T., Schott, B.: Comparative analysis of the hardware implementations of hash functions SHA-1 and SHA-512. In: Proceedings of Information Security Conference (ISC 2002), Lecture Notes in Computer Science, vol. 2433, pp. 75–89. Springer, Sao Paulo, Brazil (2002)
Handley, M., Kreibich, C., Paxson, V.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proceedings of the 10th USENIX Security Symposium. Washington, DC (2001)
Horne, B., Matheson, L., Sheehan, C., Tarjan, R.: Dynamic self-checking techniques for improved tamper resistance. In: Proceedings of the First ACM Workshop on Digital Rights Management (DRM 2001), Lecture Notes in Computer Science, vol. 2320, pp. 141–159. Springer, Berlin Heidelberg New York (2002)
Joag-Dev, K., Proschan, F.: Negative association of random variables, with applications. Ann. Stat. 11(1), 286–295 (1983)
Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy. Oakland (2004)
Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium. San Diego, CA (2004)
Kumar, A., Xu, J., Li, L., Wang, J.: Space-code Bloom filter for efficient traffic flow measurement. In: Proceedings of IMC. Miami Beach, FL (2003)
Levy, E.: Worm propagation and generic attacks. IEEE Secur. Priv. 3(2), 63–65 (2005)
Liljenstam, M.: Modeling of security and systems. A network worm modeling package for SSFNet (2003). http://www.crhc.uiuc.edu/mili/research/ssf/worm/ [Accessed: September 10, 2004]
Mahajan, R., Spring, N., Wetherall, D., Anderson, T.: Inferring link weight using end-to-end measurements. In: Proceedings of the Internet Measurement Workshop 2002 (IMW'02). Marseille, France (2002)
Matrawy, A., van Oorschot, P., Somayaji, A.: Mitigating network denial-of-service through diversity-based traffic management. In: Proceedings of the 3rd Annual Conference on Applied Cryptography and Network Security (ACNS 2005), Lecture Notes in Computer Science, vol. 3531, pp. 104–121. Springer, New York (2005)
McHugh, J.: Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(4), 262–294 (2000)
MIT Lincoln Laboratory: DARPA intrusion detection evaluation: Data sets (1999). http://www.ll.mit.edu/IST/ideval/data/data_index.html [Accessed: April 1, 2004]
Mitzenmacher, M.: Compressed Bloom filters. In: Proceedings of the 20th Annual ACM Symposium on Principles of Distributed Computing (PODC 2001), pp. 144–150. Newport, RI (2001)
Moore, D., Paxon, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Secur. Priv. 1(4), 33–39 (2003)
Nachenberg, C.: Computer virus-antivirus coevolution. Commun. ACM 40(1), 46–51 (1997)
Nevelsteen, W., Preneel, B.: Software performance of universal hash functions. In: Proceedings of Eurocrypt'99, pp. 24–41. Prague, Czech Republic (1999)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy. Oakland, CA (2005)
NS-2: The network simulator – NS-2 (2003). http://www.isi.edu/nsnam/ns/ [Accessed: September 10, 2003]
Onut, I.V., Zhu, B., Ghorbani, A.: A novel visualization technique for network anomaly detection. In: Proceedings of the 2nd Annual Conference on Privacy, Security and Trust. Fredericton, Canada (2004)
OPNET Technologies Inc.: Opnet modeler (2003). http://www.opnet.com [Accessed: September 10, 2003]
Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'01). San Diego, CA (2001)
Ptacek, T.H., Newsham, T.N.: Insertion, evasion and denial of service: Eluding network intrusion detection. Tech. rep., Secure Networks, Inc. (1998). http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps [Accessed: November 6, 2005]
Rabin, M.: Fingerprinting by random polynomials. Technical Report TR-15-81, Center for Research in Computing Technology, Harvard University, Cambridge, MA (1981)
Shanmugasundaram, K., Brönnimann, H., Memon, N.: Payload attribution via hierarchical Bloom filters. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04). Washington, DC (2004)
Shannon, C., Moore, D.: The spread of the Witty worm (2004). http://www.caida.org/analysis/security/witty/ [Accessed: June 18, 2004]
Singh, S., Estan, C., Varghese, G., Savage, S.: The EarlyBird system for real-time detection of unknown worms. Technical Report CS2003-0761, University of California, San Diego, CA (2003)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th USENIX Symposium on Operating Systems Design & Implementation (OSDI'04). San Francisco (2004)
Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S., Strayer, W.: Hash-based IP traceback. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'01). San Diego, CA (2001)
Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with Rocketfuel. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'02). Pittsburgh, PA (2002)
SSFNet: Scalable simulation framework network models (2003). http://www.ssfnet.org/homePage.html [Accessed: September 10, 2003]
Toth, T., Kruegel, C.: Connection-history based anomaly detection. In: Proceedings of the 2002 IEEE Workshop on Information Assurance and Security. New York (2002)
Twycross, J., Williamson, M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium. Washington, DC (2003)
Valdes, A., Fong, M.: Scalable visualization of propagating Internet phenomena. In: Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security. Washington, DC (2004)
Vargas Martin, M.: A monitoring system for mitigating fast propagating worms in the network infrastructure. In: Proceedings of the 18th IEEE Canadian Conference on Electrical and Computing Engineering (CCECE'05). Saskatoon, Canada (2005)
Venkataraman, S., Song, D., Gibbons, P., Blum, A.: New streaming algorithms for fast detection of superspreaders. In: The Internet Society Proceedings of the Network and Distributed System Security Symposium (NDSS'05). San Diego, CA (2005)
Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection (RAID 2004). Sophia Antipolis, France (2004)
Watts, D.: Small Worlds: The Dynamics of Networks Between Order and Randomness. Princeton University Press, Princeton, NJ (1999)
Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of ACM WORM'03. Washington, DC (2003)
Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium. San Diego, CA (2004)
Williamson, M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of the Annual Computer Security Application Conference (ACSAC'02). Las Vegas (2002)
Zou, C., Gong, W., Towsley, D.: Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS'02). Washington, DC (2002)
Author information
Authors and Affiliations
Corresponding author
Additional information
P. van Oorschot(Ph.D. Waterloo, 1988) is a Professor in the School of Computer Science at Carleton University, and Canada Research Chair in Network and Software Security. He is the founding director of Carleton's Digital Security Group. He has worked in research and development in cryptography and network security, including at Bell-Northern Research (Ottawa), and Entrust Technologies (Ottawa) as VP and Chief Scientist. He is coauthor of the standard reference Handbook of Applied Cryptography. His current research interests include authentication and identity management, network security, software protection, and security infrastructures.
J.-M. Robertis a Principal Security Researcher at Alcatel in Ottawa, Ontario. His research interests are network and telecom infrastructure security, focusing mainly on denial-of-service attacks and worm propagation. Previously, Dr. Robert worked as Security Director for the North American Development Center of Gemplus International as well as Professor at the Université du Québec à Chicoutimi. Dr. Robert received a Ph.D. in Computer Science from McGill University.
M. Vargas Martinis an Assistant Professor at the University of Ontario Institute of Technology (Oshawa, Canada), with faculty appointments in Business and Information Technology, as well as Engineering and Applied Science. He was previously a post-doctoral researcher at Carleton University supported in part by Alcatel Canada. He holds a Ph.D. in Computer Science (Carleton University, 2002), a Masters degree in Electrical Engineering (Cinvestav, Mexico, 1998), and a Bachelor of Computer Science (Universidad Autónoma de Aguascalientes, Mexico, 1996). His current research interests include network and host-based intrusion detection and reaction, mitigation of denial-of-service (DoS) and distributed DoS attacks, Web modeling and optimization, Internet connectivity, and interconnection protocols.
Rights and permissions
About this article
Cite this article
van Oorschot, P.C., Robert, JM. & Martin, M.V. A monitoring system for detecting repeated packets with applications to computer worms. Int. J. Inf. Secur. 5, 186–199 (2006). https://doi.org/10.1007/s10207-006-0081-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-006-0081-8