research-article

CBSTM: Cloud-based Behavior Similarity Transmission Method to Detect Industrial Worms

Authors:

Jinjing ZhaoAuthors Info & Claims

ICCC '13: Proceedings of the Second International Conference on Innovative Computing and Cloud Computing

Pages 158 - 164

https://doi.org/10.1145/2556871.2556906

Published: 01 December 2013 Publication History

Abstract

Sophisticated industrial worms, such as Stuxnet, Flame, Duqu, have brought much threat in industrial networks. Most existing detection methods use content pattern or aggressive activities as a clue to the existence of worms, which are ineffective against worms that don't have their pattern been known and don't behave aggressively. To detect such worms, we proposed Cloud-based Behavior Similarity Transmission Method (CBSTM). CBSTM is a cloud-based method that utilizes the fundamental feature that a worm propagates from host to host. It monitors behaviors on each host in industrial networks. When same behaviors propagate among hosts and meet given criteria, corresponding hosts are believed to be infected by worms. When the worm is detected, the found behavior sequence is used as this worm's signature to realize instant worm detection afterwards. Since CBSTM doesn't need specific characteristics of worms, it can be generally applied to detecting any worms in industrial networks. The evaluation with detecting Stuxnet confirms the effectiveness of CBSTM.

References

[1]

Wikipedia. 2013. Stuxnet. Retrieved September 23, 2013 from http://en.wikipedia.org/wiki/Stuxnet.

[2]

Idika, N. and Mathur, A. P. 2007. A survey of malware detection techniques. Technical Report. Purdue University at West Lafayette.

[3]

Kumar, S. and Spafford, E. H. 1992. A generic virus scanner for c++. In Proceedings of the 8th Computer Security Applications Conference. IEEE, San Antonio, TX, 210-219.

[4]

Kruegel, C., Kirda, E., Mutz, D., Robertson, W. and Vigna, G. 2005. Polymorphic Worm Detection using Structural Information of Executables. In Proceedings of Recent Advances in Intrusion Detection. Springer-Verlag, Seattle, WA, 207-226.

Digital Library

[5]

Newsome, J., Karp, B. and Song, D. 2005. Polygraph: Automatically Generating Signatures for Polymorphic Worms. In Proceedings of IEEE Symposium on Security and Privacy. IEEE, Oakland, CA, 226-241.

Digital Library

[6]

Nissim, N., Moskovitch, R., Rokach, L. and Elovici Y. 2012. Detecting unknown computer worm activity via support vector machines and active learning. Pattern Analysis and Applications, 15 (Nov. 2012), 459-475.

Digital Library

[7]

Tang, Y. and Chen, S. 2007. An automated signature-based approach against polymorphic internet worms. IEEE Trans. On Parallel and Distributed Systems, 18 (July 2007), 879-892.

Digital Library

[8]

Zou, C.C., Gong, W., Towsley, D. and Gao L. 2005. The monitoring and early detection of internet worms. IEEE/ACM Trans. On Networking, 13 (October 2005), 961-974.

Digital Library

[9]

Wikipedia. 2013. Code Red (computer worm). Retrieved September 23, 2013 from http://en.wikipedia.org/wiki/Code_Red_(computer_worm).

[10]

Jhi, Y-C., Liu, P., Li, L., Gu, Q., Jing, J. and Kesidis, G. 2010. PWC: a proactive worm containment solution for enterprise networks. Security and Communication Networks, 3 (July 2010), 334-354.

[11]

Chen, S., Wang, X., Liu, L., Zhang, X. and Zhang, Z. 2006. WormTerminator: an effective containment of unknown and polymorphic fast spreading worms. In Proceedings of 2006 ACM/IEEE symposium on Architecture for networking and communications systems. ACM Press, San Jose, CA, 173-182.

Digital Library

[12]

Jiang, X. and Zhu, X. 2009. vEye: behavioral footprinting for self-propagating worm detection and profiling. Knowledge and Information Systems, 18 (February 2009), 231-262.

Digital Library

[13]

Kawaguchi, N., Shigeno, H. and Okada, K. 2007. Detection of silent worms using anomaly connection tree. In Proceedings of 21st Advanced Information Networking and Applications Conference. IEEE, Niagara Falls, ON, 412-419.

Digital Library

[14]

Process Control System PCS 7 Security concept PCS 7 & WinCC (Basic) Function Manual. Siemens, Nüürnberg, Germany, April 2012.

[15]

Wikipedia. 2013. SQL Slammer. Retrieved September 23, 2013 from http://en.wikipedia.org/wiki/SQL_Slammer.

[16]

Ellis, D., Aiken, J., Attwood, K. and Tenaglia, S. 2004. A behavioral approach to worm detection. In Proceedings of the 2004 ACM workshop on rapid malcode. ACM Press, Washington, DC, 43-53.

Digital Library

Cited By

Kawaguchi NTomimura HKomiyama TKubota KTsuichihara M(2017)Locating victims of destructive targeted attacks based on Suspicious Activity Spike Train2017 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC.2017.8024636(871-878)Online publication date: Jul-2017
https://doi.org/10.1109/ISCC.2017.8024636

Index Terms

CBSTM: Cloud-based Behavior Similarity Transmission Method to Detect Industrial Worms

Recommendations

WORM vs. WORM: preliminary study of an active counter-attack mechanism
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode

Self-propagating computer worms have been terrorizing the Internet for the last several years. With the increasing density, inter-connectivity and bandwidth of the Internet combined with security measures that inadequately scale, worms will continue to ...
Modeling and Detection of Camouflaging Worm

Active worms pose major security threats to the Internet. This is due to the ability of active worms to propagate in an automated fashion as they continuously compromise computers on the Internet. Active worms evolve during their propagation, and thus, ...
PAIDS: A Proximity-Assisted Intrusion Detection System for Unidentified Worms
COMPSAC '09: Proceedings of the 2009 33rd Annual IEEE International Computer Software and Applications Conference - Volume 01

The wide spread of worms poses serious challenges to today's Internet.Various IDSes (Intrusion Detection Systems) have been proposed to identify or prevent such spread. These IDSes can be largely classified as signature-based or anomaly-based ones ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ICCC '13: Proceedings of the Second International Conference on Innovative Computing and Cloud Computing

December 2013

285 pages

ISBN:9781450321198

DOI:10.1145/2556871

General Chairs:
Min Wu
Nanchang University, China
,
Wei Lee
Asia Pacific Human-Computer Interaction Research Center, Hong Kong
,
Program Chairs:
Yiyi Zhouzhou
Azerbaijan State Oil Academy, Azerbaijan
,
Riza Esa
Kuala Lumpur ACM Chapter, Malaysia
,
Xiang Lee
Hong Kong Education Society, Hong Kong

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

ACM Wuhan Chapter: ACM Wuhan Chapter

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 December 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ICCC '13

ICCC '13: 2013 The Second International Conference on Innovative Computing and Cloud Computing

December 1 - 2, 2013

Wuhan, China

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
175
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kawaguchi NTomimura HKomiyama TKubota KTsuichihara M(2017)Locating victims of destructive targeted attacks based on Suspicious Activity Spike Train2017 IEEE Symposium on Computers and Communications (ISCC)10.1109/ISCC.2017.8024636(871-878)Online publication date: Jul-2017
https://doi.org/10.1109/ISCC.2017.8024636

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten