Skip to main content
SpringerLink
Log in

A monitoring system for detecting repeated packets with applications to computer worms

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We present a monitoring system which detects repeated packets in network traffic, and has applications including detecting computer worms. It uses Bloom filters with counters. The system analyzes traffic in routers of a network. Our preliminary evaluation of the system involved traffic from our internal lab and a well known historical data set. After appropriate configuration, no false alarms are obtained under these data sets and we expect low false alarm rates are possible in many network environments. We also conduct simulations using real Internet Service Provider topologies with realistic link delays and simulated traffic. These simulations confirm that this approach can detect worms at early stages of propagation. We believe our approach, with minor adaptations, is of independent interest for use in a number of network applications which benefit from detecting repeated packets, beyond detecting worm propagation. These include detecting network anomalies such as dangerous traffic fluctuations, abusive use of certain services, and some distributed denial-of-service attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Anderson, T., Mahajan, R., Spring, N., Wetherall, D.: Rocketfuel: An ISP topology mapping engine (2003). http://www.cs.washington.edu/research/networking/rocketfuel/ [Accessed: August 2, 2003]

  2. Barbour, A., Holst, L., Janson, S.: Poisson Approximation. Oxford University Press, New York (1992)

    Google Scholar 

  3. Bertsekas, D., Gallager, R.: Data Networks. Prentice Hall, Englewood Cliffs, NJ (1992)

    Google Scholar 

  4. Bloom, B.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13(17), 422–426 (1970)

    Article  MATH  Google Scholar 

  5. Boutsikas, M., Koutras, M.: On the number of overflown urns and excess balls in an allocation model with limited urn capacity. Stat. Plan. Inference 104, 259–286 (2002)

    Article  MathSciNet  Google Scholar 

  6. Broder, A., Kumar, R., Maghoul, F., Raghavan, P., Rajagopalan, S., Stata, R., Tomkins, A., Wiener, J.: Graph structure in the Web. Newblock Comput. Netw. 33(1–6), 309–320 (2000)

    Article  Google Scholar 

  7. Broder, A., Mitzenmacher, M.: Network applications of Bloom filters: A survey. Internet Math. 1(4), 485–509 (2003–2004)

    MathSciNet  Google Scholar 

  8. CERIAS Intrusion Detection Research Group, T.: Digging for worms, fishing for answers. In: Proceedings of the Annual Computer Security Application Conference (ACSAC'02). Las Vegas (2002)

  9. Chen, X., Heidemann, J.: Detecting early worm propagation through packet matching. Tech. Rep. ISI-TR-2004-585, University of Southern California (2004)

  10. Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 2nd edn. MIT Press, McGraw-Hill, New York (2001)

    Google Scholar 

  11. Crosby, S., Wallach, D.: Denial of service via algorithmic complexity attacks. In: Proceedings of the 12th USENIX Security Symposium. Washington, DC (2003)

  12. Daley, D., Gani, J.: Epidemic Modelling: An Introduction. Cambridge University Press, Cambridge, UK (1999)

    Google Scholar 

  13. Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel Bloom filters. In: Symposium on High Performance Interconnects (HotI), pp. 44–51. Stanford, CA (2003)

  14. Dharmapurikar, S., Krishnamurthy, P., Taylor, D.: Longest prefix matching using Bloom filters. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'03), pp. 201–212. Karlsruhe, Germany (2003)

  15. Dharmapurikar, S., Paxson, V.: Robust TCP stream reassembly in the presence of adversaries. In: Proceedings of the 14th USENIX Security Symposium. Baltimore (2005)

  16. Faloutsos, M., Faloutsos, P., Faloutsos, C.: On power-law relationships of the Internet topology. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'99), pp. 251–262. Boston/Cambridge, MA (1999)

  17. Fan, L., Cao, P., Almeida, J., Broder, A.: Summary cache: A scalable wide-area Web cache sharing protocol. IEEE/ACM Trans. Netw. 8(3), 281–293 (2000)

    Article  Google Scholar 

  18. Feller, W.: An Introduction to Probability Theory and its Applications, vol. 1, 3rd edn. Wiley, New York (1968)

    Google Scholar 

  19. Fyodor: The art of port scanning. Phrack Mag. 7(51) (1997). URL: http://www.phrack.org [Accessed: March 6, 2003]

  20. Garey, M., Johnson, D.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)

    Google Scholar 

  21. Goh, E.J.: Secure indexes. Cryptology ePrint Archive, Report 2003/216 (2003). URL: http://eprint.iacr.org/2003/216/ [Accessed: January 7, 2004]

  22. Grembowski, T., Lien, R., Gaj, K., Nguyen, N., Bellows, P., Flidr, J., Lehman, T., Schott, B.: Comparative analysis of the hardware implementations of hash functions SHA-1 and SHA-512. In: Proceedings of Information Security Conference (ISC 2002), Lecture Notes in Computer Science, vol. 2433, pp. 75–89. Springer, Sao Paulo, Brazil (2002)

  23. Handley, M., Kreibich, C., Paxson, V.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proceedings of the 10th USENIX Security Symposium. Washington, DC (2001)

  24. Horne, B., Matheson, L., Sheehan, C., Tarjan, R.: Dynamic self-checking techniques for improved tamper resistance. In: Proceedings of the First ACM Workshop on Digital Rights Management (DRM 2001), Lecture Notes in Computer Science, vol. 2320, pp. 141–159. Springer, Berlin Heidelberg New York (2002)

  25. Joag-Dev, K., Proschan, F.: Negative association of random variables, with applications. Ann. Stat. 11(1), 286–295 (1983)

    MathSciNet  Google Scholar 

  26. Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy. Oakland (2004)

  27. Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium. San Diego, CA (2004)

  28. Kumar, A., Xu, J., Li, L., Wang, J.: Space-code Bloom filter for efficient traffic flow measurement. In: Proceedings of IMC. Miami Beach, FL (2003)

  29. Levy, E.: Worm propagation and generic attacks. IEEE Secur. Priv. 3(2), 63–65 (2005)

    Article  Google Scholar 

  30. Liljenstam, M.: Modeling of security and systems. A network worm modeling package for SSFNet (2003). http://www.crhc.uiuc.edu/mili/research/ssf/worm/ [Accessed: September 10, 2004]

  31. Mahajan, R., Spring, N., Wetherall, D., Anderson, T.: Inferring link weight using end-to-end measurements. In: Proceedings of the Internet Measurement Workshop 2002 (IMW'02). Marseille, France (2002)

  32. Matrawy, A., van Oorschot, P., Somayaji, A.: Mitigating network denial-of-service through diversity-based traffic management. In: Proceedings of the 3rd Annual Conference on Applied Cryptography and Network Security (ACNS 2005), Lecture Notes in Computer Science, vol. 3531, pp. 104–121. Springer, New York (2005)

  33. McHugh, J.: Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) 3(4), 262–294 (2000)

    Article  Google Scholar 

  34. MIT Lincoln Laboratory: DARPA intrusion detection evaluation: Data sets (1999). http://www.ll.mit.edu/IST/ideval/data/data_index.html [Accessed: April 1, 2004]

  35. Mitzenmacher, M.: Compressed Bloom filters. In: Proceedings of the 20th Annual ACM Symposium on Principles of Distributed Computing (PODC 2001), pp. 144–150. Newport, RI (2001)

  36. Moore, D., Paxon, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Secur. Priv. 1(4), 33–39 (2003)

    Article  Google Scholar 

  37. Nachenberg, C.: Computer virus-antivirus coevolution. Commun. ACM 40(1), 46–51 (1997)

    Article  Google Scholar 

  38. Nevelsteen, W., Preneel, B.: Software performance of universal hash functions. In: Proceedings of Eurocrypt'99, pp. 24–41. Prague, Czech Republic (1999)

  39. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy. Oakland, CA (2005)

  40. NS-2: The network simulator – NS-2 (2003). http://www.isi.edu/nsnam/ns/ [Accessed: September 10, 2003]

  41. Onut, I.V., Zhu, B., Ghorbani, A.: A novel visualization technique for network anomaly detection. In: Proceedings of the 2nd Annual Conference on Privacy, Security and Trust. Fredericton, Canada (2004)

  42. OPNET Technologies Inc.: Opnet modeler (2003). http://www.opnet.com [Accessed: September 10, 2003]

  43. Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'01). San Diego, CA (2001)

  44. Ptacek, T.H., Newsham, T.N.: Insertion, evasion and denial of service: Eluding network intrusion detection. Tech. rep., Secure Networks, Inc. (1998). http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps [Accessed: November 6, 2005]

  45. Rabin, M.: Fingerprinting by random polynomials. Technical Report TR-15-81, Center for Research in Computing Technology, Harvard University, Cambridge, MA (1981)

    Google Scholar 

  46. Shanmugasundaram, K., Brönnimann, H., Memon, N.: Payload attribution via hierarchical Bloom filters. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04). Washington, DC (2004)

  47. Shannon, C., Moore, D.: The spread of the Witty worm (2004). http://www.caida.org/analysis/security/witty/ [Accessed: June 18, 2004]

  48. Singh, S., Estan, C., Varghese, G., Savage, S.: The EarlyBird system for real-time detection of unknown worms. Technical Report CS2003-0761, University of California, San Diego, CA (2003)

    Google Scholar 

  49. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th USENIX Symposium on Operating Systems Design & Implementation (OSDI'04). San Francisco (2004)

  50. Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S., Strayer, W.: Hash-based IP traceback. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'01). San Diego, CA (2001)

  51. Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with Rocketfuel. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'02). Pittsburgh, PA (2002)

  52. SSFNet: Scalable simulation framework network models (2003). http://www.ssfnet.org/homePage.html [Accessed: September 10, 2003]

  53. Toth, T., Kruegel, C.: Connection-history based anomaly detection. In: Proceedings of the 2002 IEEE Workshop on Information Assurance and Security. New York (2002)

  54. Twycross, J., Williamson, M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium. Washington, DC (2003)

  55. Valdes, A., Fong, M.: Scalable visualization of propagating Internet phenomena. In: Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security. Washington, DC (2004)

  56. Vargas Martin, M.: A monitoring system for mitigating fast propagating worms in the network infrastructure. In: Proceedings of the 18th IEEE Canadian Conference on Electrical and Computing Engineering (CCECE'05). Saskatoon, Canada (2005)

  57. Venkataraman, S., Song, D., Gibbons, P., Blum, A.: New streaming algorithms for fast detection of superspreaders. In: The Internet Society Proceedings of the Network and Distributed System Security Symposium (NDSS'05). San Diego, CA (2005)

  58. Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection (RAID 2004). Sophia Antipolis, France (2004)

  59. Watts, D.: Small Worlds: The Dynamics of Networks Between Order and Randomness. Princeton University Press, Princeton, NJ (1999)

    Google Scholar 

  60. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of ACM WORM'03. Washington, DC (2003)

  61. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium. San Diego, CA (2004)

  62. Williamson, M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of the Annual Computer Security Application Conference (ACSAC'02). Las Vegas (2002)

  63. Zou, C., Gong, W., Towsley, D.: Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS'02). Washington, DC (2002)

Download references

Author information

Authors and Affiliations

  1. School of Computer Science, Carleton University, Canada

    Paul C. van Oorschot

  2. Research and Innovation Centre – Security Group, Alcatel, Canada

    Jean-Marc Robert

  3. University of Ontario Institute of Technology, Ontario, Canada, Canada

    Miguel Vargas Martin

Authors
  1. Paul C. van Oorschot
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jean-Marc Robert
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Miguel Vargas Martin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Miguel Vargas Martin.

Additional information

P. van Oorschot(Ph.D. Waterloo, 1988) is a Professor in the School of Computer Science at Carleton University, and Canada Research Chair in Network and Software Security. He is the founding director of Carleton's Digital Security Group. He has worked in research and development in cryptography and network security, including at Bell-Northern Research (Ottawa), and Entrust Technologies (Ottawa) as VP and Chief Scientist. He is coauthor of the standard reference Handbook of Applied Cryptography. His current research interests include authentication and identity management, network security, software protection, and security infrastructures.

J.-M. Robertis a Principal Security Researcher at Alcatel in Ottawa, Ontario. His research interests are network and telecom infrastructure security, focusing mainly on denial-of-service attacks and worm propagation. Previously, Dr. Robert worked as Security Director for the North American Development Center of Gemplus International as well as Professor at the Université du Québec à Chicoutimi. Dr. Robert received a Ph.D. in Computer Science from McGill University.

M. Vargas Martinis an Assistant Professor at the University of Ontario Institute of Technology (Oshawa, Canada), with faculty appointments in Business and Information Technology, as well as Engineering and Applied Science. He was previously a post-doctoral researcher at Carleton University supported in part by Alcatel Canada. He holds a Ph.D. in Computer Science (Carleton University, 2002), a Masters degree in Electrical Engineering (Cinvestav, Mexico, 1998), and a Bachelor of Computer Science (Universidad Autónoma de Aguascalientes, Mexico, 1996). His current research interests include network and host-based intrusion detection and reaction, mitigation of denial-of-service (DoS) and distributed DoS attacks, Web modeling and optimization, Internet connectivity, and interconnection protocols.

Rights and permissions

Reprints and permissions

About this article

Cite this article

van Oorschot, P.C., Robert, JM. & Martin, M.V. A monitoring system for detecting repeated packets with applications to computer worms. Int. J. Inf. Secur. 5, 186–199 (2006). https://doi.org/10.1007/s10207-006-0081-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-006-0081-8

Keywords

Search

Navigation