skip to main content
10.1145/1103626.1103638acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

The limits of global scanning worm detectors in the presence of background noise

Published: 11 November 2005 Publication History

Abstract

Internet worms cause billions of dollars in damage each year. To combat them, researchers have been exploring global worm detection systems to spot a new random scanning worm outbreak quickly. These systems passively listen for worm probes on unused IP addresses, looking for anomalous increases in probe traffic to distinguish the emergence of a new worm from background Internet noise.In this paper, we use analytic modeling, simulation, and measurement to understand how background noise impacts the detection ability of global scanning worm detectors. We investigate the relationship between the average background noise level, the number of IP addresses monitored, and the detection latency for two classes of global scanning worm detectors: scan packet-based and victims-based schemes. Our results show how worm detection latency degrades as a function of the background noise level. To compensate, global scanning worm detectors can increase the number of IP addresses that they monitor. However, given the growth trend of background noise levels, the number of IP addresses which must be monitored may quickly become unreasonable. Because of this, we conclude that global scanning worm detection schemes are unlikely to be competitive with local scanning and signature-based worm detection schemes.

References

[1]
G. Bakos and V. H. Berk. Early detection of Internet worm activity by metering ICMP destination unreachable messages. In Proceedings of the SPIE Conference on Sensors, and Command, Control, Communications and Intelligent, Orlando, FL, April 2002.
[2]
P. Barford, S. Jha, and V. Yegneswaran. Fusion and filtering in distributed intrusion detection systems. In Proceedings of the 42nd Annual Allerton Conference on Communication, Control and Computing, September 2004.
[3]
V. Berk, G. Bakos, and R. Morris. Designing a framework for active worm detection on global networks. In Proceedings of the First IEEE International Workshop on Information Assurance (IWIA '03), Darmstadt, Germany, March 2003.
[4]
V. H. Berk, R. S. Gray, and G. Bakos. Using sensor networks and data fusion for early detection of active worms. In Proceedings of AeroSense 2003: SPIE's 17th Annual International Symposium on Aerospace/Defense Sensing, Simulation, and Controls, Orlando, FL, April 2003.
[5]
Z. Chen, L. Gao, and K. Kwiat. Modeling the spread of active worms. In Proceedings of INFOCOM, San Francisco, CA, March-April 2003.
[6]
E. Cooke, M. Bailey, Z. M. Mao, D. Watson, F. Jahanian, and D. McPherson. Toward understanding distributed blackhole placement. In Proceedings of the 2004 ACM Workshop on Rapid Malcode, Fairfax, VA, October 2004.
[7]
D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levin, and H. Owen. Honeystat: Local worm detection using honeypots. In Proceedings of RAID 2004, Sophia Antipolis, France, Sept. 2004.
[8]
D. Daley and J. Gani. Epidemic Modeling: An Introduction. Cambridge University Press, 199.
[9]
G. Gu, M. Sharif, X. Qin, D. Dagon, W. Lee, and G. Riley. Worm detection, early warning and response based on local victim information. In 20th Annual Computer Security Applications Conference (ACSAC 2004), Tucson, AZ, December 2004.
[10]
J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In Proceedings of the 2004 IEEE Symposium on Security and Privacy, Oakland, CA, May 2004.
[11]
D. M. Kienzle and M. C. Elder. Recent worms: A survey and trends. In Proceedings of the 2003 ACM Workshop on Rapid Malcode, Washington, DC, October 2003.
[12]
H.-A. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, CA, August 2004.
[13]
M. Liljenstam, D. M. Nicol, V. H. Berk, and R. S. Gray. Simulating realistic network worm traffic for worm warning system design and testing. In Proceedings of the 2003 ACM Workshop on Rapid Malcode, Washington, DC, October 2003.
[14]
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the slammer worm. IEEE Security and Privacy, 1(4):33--39, July 2003.
[15]
D. Moore, C. Shannon, and J. Brown. Code-red: a case study on the spread and victims of an Internet worm. In Proceedings of the 2002 Internet Measurement Workshop, Marseille, France, November 2002.
[16]
R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet background radiation. In Proceedings of IMC 2004, Sicily, Italy, October 2004.
[17]
X. Qin, D. Dagon, G. Gu, and W. Lee. Worm detection using local networks. Technical Report GIT-CC-04-04, College of Computing, Georgia Institute of Technology, February 2004.
[18]
S. E. Schechter, J. Jung, and A. W. Berger. Fast detecton of scanning worm infections. In Proceedings of RAID 2004, Sophia Antipolis, France, Sept. 2004.
[19]
S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of the OSDI '04, San Francisco, CA, December 2004.
[20]
E. H. Spafford. The Internet worm program: An analysis. ACM SIGCOMM Computer Communication Review, 19(1):17--57, January 1989.
[21]
S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Security '02), San Francisco, CA, August 2002.
[22]
N. Weaver, S. Staniford, and V. Paxson. Very fast containment of scanning worms. In Proceedings of the 13th Usenix Security Symposium (Security 2004), San Diego, CA, August 2004.
[23]
D. Whyte, E. Kranakis, and P. van Oorschot. Dns-based detection of scanning worms in an enterprise network. In Proceedings of the 12th Annual Network and Distributed System Security Symposium (NDSS 2005), San Diego, CA, February 2005.
[24]
J. Wu, S. Vangala, L. Gao, and K. Kwiat. An effective architecture and algorithm for detecting worms with various scan techniques. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS '04), San Diego, CA, February 2004.
[25]
C. Zou, L. Gao, W. Gong, and D. Townsley. Monitoring and early warning for Internet worms. In Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, Oct. 2003.
[26]
C. Zou, W. Gong, and D. Towsley. Code red worm propagation modeling and analysis. In Proceedings of the 9th ACM Conference on Computer and Communication Security, Washington, DC, November 2002.
[27]
C. Zou, D. Towsley, and W. Gong. Worm propagation modeling and analysis under dynamic quarantine defense. In Proceedings of the 2003 ACM Workshop on Rapid Malcode, Washington, DC, October 2003.
[28]
C. Zou, D. Towsley, W. Gong, and S. Cai. Routing worm: A fast, selective attack worm based on IP address information. Technical Report TR-03-CSE-06, University of Massachusetts, November 2003.

Cited By

View all
  • (2016)Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and CharacterizationIEEE Communications Surveys & Tutorials10.1109/COMST.2015.249769018:2(1197-1227)Online publication date: Oct-2017
  • (2011)Darknet-Based Inference of Internet Worm Temporal CharacteristicsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2011.21612886:4(1382-1393)Online publication date: 1-Dec-2011
  • (2010)Characterizing and defending against divide-conquer-scanning wormsComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2010.06.01054:18(3210-3222)Online publication date: 1-Dec-2010
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
WORM '05: Proceedings of the 2005 ACM workshop on Rapid malcode
November 2005
94 pages
ISBN:1595932291
DOI:10.1145/1103626
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 November 2005

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. computer security
  2. computer worms
  3. scanning worms
  4. worm detection
  5. worm models

Qualifiers

  • Article

Conference

CCS05
Sponsor:

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)0
  • Downloads (Last 6 weeks)0
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2016)Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and CharacterizationIEEE Communications Surveys & Tutorials10.1109/COMST.2015.249769018:2(1197-1227)Online publication date: Oct-2017
  • (2011)Darknet-Based Inference of Internet Worm Temporal CharacteristicsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2011.21612886:4(1382-1393)Online publication date: 1-Dec-2011
  • (2010)Characterizing and defending against divide-conquer-scanning wormsComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2010.06.01054:18(3210-3222)Online publication date: 1-Dec-2010
  • (2009)HoneyLabProceedings of the 2009 Third International Conference on Network and System Security10.1109/NSS.2009.65(381-388)Online publication date: 19-Oct-2009
  • (2009)Active Worm Early Detection Using Network SnifferProceedings of the 2009 International Conference on Advances in Computing, Control, and Telecommunication Technologies10.1109/ACT.2009.198(784-786)Online publication date: 28-Dec-2009
  • (2008)Fast and Black-box Exploit Detection and Signature Generation for Commodity SoftwareACM Transactions on Information and System Security10.1145/1455518.145552312:2(1-35)Online publication date: 1-Dec-2008
  • (2008)Understanding Divide-Conquer-Scanning Worms2008 IEEE International Performance, Computing and Communications Conference10.1109/PCCC.2008.4745139(51-58)Online publication date: Dec-2008
  • (2006)The impact of stochastic variance on worm propagation and detectionProceedings of the 4th ACM workshop on Recurring malcode10.1145/1179542.1179555(57-64)Online publication date: 3-Nov-2006

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media