ABSTRACT
After the Code Red incident in 2001 and the SQL Slammer in January 2003, it is clear that a simple self-propagating worm can quickly spread across the Internet, infects most vulnerable computers before people can take effective countermeasures. The fast spreading nature of worms calls for a worm monitoring and early warning system. In this paper, we propose effective algorithms for early detection of the presence of a worm and the corresponding monitoring system. Based on epidemic model and observation data from the monitoring system, by using the idea of "detecting the trend, not the rate" of monitored illegitimated scan traffic, we propose to use a Kalman filter to detect a worm's propagation at its early stage in real-time. In addition, we can effectively predict the overall vulnerable population size, and correct the bias in the observed number of infected hosts. Our simulation experiments for Code Red and SQL Slammer show that with observation data from a small fraction of IP addresses, we can detect the presence of a worm when it infects only 1% to 2% of the vulnerable computers on the Internet.
- B.D.O. Anderson and J. Moore. Optimal Filtering. Prentice Hall, 1979.Google Scholar
- V.H. Berk, R.S. Gray, and G. Bakos. Using sensor networks and data fusion for early detection of active worms. In Proc. of the SPIE AeroSense, 2003.Google ScholarCross Ref
- Cooperative Association for Internet Data Analysis. http://www.caida.orgGoogle Scholar
- CERT Coordination Center. http://www.cert.orgGoogle Scholar
- Z. Chen, L. Gao, and K. Kwiat. Modeling the Spread of Active Worms, In IEEE INFOCOM, 2003.Google ScholarCross Ref
- CNN News. Computer worm grounds flights, blocks ATMs. http://europe.cnn.com/2003/TECH/internet/01/25/internet.attack/Google Scholar
- eEye Digital Security. .ida "Code Red" Worm. 2001. http://www.eeye.com/html/Research/Advisories/AL20010717.htmlGoogle Scholar
- USA Today News. The cost of Code Red: $1.2 billion. http://www.usatoday.com/tech/news/2001-08-01-code-red-costs.htmGoogle Scholar
- CounterMalice: military-grade worm containment. http://www.silicondefense.com/products/countermalice/Google Scholar
- D.J. Daley and J. Gani. Epidemic Modelling: An Introduction. Cambridge University Press, 1999.Google ScholarCross Ref
- Dave Goldsmith. Possible CodeRed Connection Attempts. Incidients maillist. http://lists.jammed.com/incidents/2001/07/0149.htmlGoogle Scholar
- Honeynet Project. Know Your Enemy: Honeynets. http://project.honeynet.org/papers/honeynet/Google Scholar
- J. O. Kephart and S. R. White. Directed-graph Epidemiological Models of Computer Viruses. In Proc. of IEEE Symposimum on Security and Privacy, pages 343--359, 1991.Google ScholarCross Ref
- J. O. Kephart, D. M. Chess, and S. R. White. Computers and Epidemiology. In IEEE Spectrum, 1993. Google ScholarDigital Library
- J. O. Kephart and S. R. White. Measuring and Modeling Computer Virus Prevalence. In Proc. of IEEE Symposimum on Security and Privacy, 1993. Google ScholarDigital Library
- Internet Storm Center. http://isc.incidents.org/Google Scholar
- D. Moore, C. Shannon, and J. Brown. Code-Red: a case study on the spread and victims of an Internet Worm. In Proc. ACM/USENIX Internet Measurement Workshop, France, November, 2002. Google ScholarDigital Library
- D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Internet Quarantine: Requirements for Containing Self-Propagating Code. In IEEE INFOCOM, 2003.Google ScholarCross Ref
- D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Security and Privacy, 1(4):33--39, July 2003. Google ScholarDigital Library
- D. Moore. Network Telescopes: Observing Small or Distant Security Events. In USENIX Security, 2002.Google Scholar
- D. Seeley. A tour of the worm. In Proc. of the Winter Usenix Conference, San Diego, CA, 1989.Google Scholar
- CAIDA. Dynamic Graphs of the Nimda worm. http://www.caida.org/dynamic/analysis/security/nimda/Google Scholar
- SANS Institute. http://www.sans.orgGoogle Scholar
- S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In 11th Usenix Security Symposium, San Francisco, August, 2002. Google ScholarDigital Library
- Symantec Early Warning Solutions. Symantec Corp. http://enterprisesecurity.symantec.com/SecurityServices/content.cfm?ArticleID=1522Google Scholar
- V. Yegneswaran, P. Barford, and J. Ullrich. Internet Intrusions: Global Characteristics and Prevalence. In ACM SIGMETRICS, June, 2003. Google ScholarDigital Library
- C.C. Zou, W. Gong, and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In 9th ACM Symposium on Computer and Communication Security, pages 138-147, Washington DC, 2002. Google ScholarDigital Library
Index Terms
- Monitoring and early warning for internet worms
Recommendations
Worm propagation modeling and analysis under dynamic quarantine defense
WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcodeDue to the fast spreading nature and great damage of Internet worms, it is necessary to implement automatic mitigation, such as dynamic quarantine, on computer networks. Enlightened by the methods used in epidemic disease control in the real world, we ...
The monitoring and early detection of internet worms
After many Internet-scale worm incidents in recent years, it is clear that a simple self-propagating worm can quickly spread across the Internet and cause severe damage to our society. Facing this great security threat, we need to build an early ...
Comments