Abstract
Worm detection and response systems must act quickly to identify and quarantine scanning worms, as when left unchecked such worms have been able to infect the majority of vulnerable hosts on the Internet in a matter of minutes [9]. We present a hybrid approach to detecting scanning worms that integrates significant improvements we have made to two existing techniques: sequential hypothesis testing and connection rate limiting. Our results show that this two-pronged approach successfully restricts the number of scans that a worm can complete, is highly effective, and has a low false alarm rate.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bakos, G., Berk, V.: Early detection of internet worm activity by metering ICMP destination unreachable messages. In: Proceedings of the SPIE Aerosense (2002)
Berk, V., Bakos, G., Morris, R.: Designing a framework for active worm detection on global networks. In: Proceedings of the IEEE International Workshop on Information Assurance (March 2003)
Berk, V.H., Gray, R.S., Bakos, G.: Using sensor networks and data fusion for early detection of active worms. In: Proceedings of the SPIE Aerosense Conference (April 2003)
CERT. “Code Red II:” another worm exploiting buffer overflow in IIS indexing service DLL, http://tinyurl.com/2lzgb
F-Secure. Computer virus information pages: Lovsan, http://tinyurl.com/ojd1
F-Secure. Computer virus information pages: Mimail.J, http://tinyurl.com/3ybsp
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy, May 9-12 (2004)
Kienzle, D.M., Elder, M.C.: Recent worms: a survey and trends. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, October 27, pp. 1–10. ACM Press, New York (2003)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Security and Privacy 1, 33–39 (2003)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: Proceedings of IEEE INFOCOM, April 1-3 (2003)
Network Associates Inc. Security threat report for W32/MydoomMM, http://tinyurl.com/2asgc
Paxson, V.: Bro: A system for detecting network intruders in real-time, http://www.icir.org/vern/bro-info.html
Paxson, V.: Bro: a system for detecting network intruders in real-time. Computer Networks 31(23-24), 2435–2463 (1999)
Sidiroglou, S., Keromytis, A.D.: Countering network worms through automatic patch generation. Technical Report CUCS-029-03 (2003)
Sidiroglou, S., Keromytis, A.D.: A network worm vaccine architecture. In: Proceedings of the IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), Workshop on Enterprise Security (June 2003)
Staniford, S.: Containment of scanning worms in enterprise networks. Journal of Computer Security (forthcoming)
Staniford, S., Hoagland, J., McAlerney, J.: Practical automated detection of stealthy portscans. Journal of Computer Security 10(1), 105–136 (2002)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in your spare time. In: Proceedings of the 11th USENIX Security Symposium, August 7-9 (2002)
Staniford-Chen, S., Cheung, S., Crawford, R., Dilger, M., Frank, J., Hoagland, J., Levitt, K., Wee, C., Yip, R., Zerkle, D.: GrIDS – A graph-based intrusion detection system for large networks. In: Proceedings of the 19th National Information Systems Security Conference, October 1996, vol. 1, pp. 361–370 (1996)
Symantec. Security response – CodeRed II, http://tinyurl.com/89t0
Symantec. Security response – W32.Novarg.Amm, http://tinyurl.com/2lv95
Twycross, J., Williamson, M.M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium, August 4-8 (2003)
von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart (automatically) or how lazy cryptographers do AI. Technical Report CMUCS- 02-117 (February 2002)
Wald, A.: Sequential Analysis. J. Wiley & Sons, New York (1947)
Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of the 2003 ACM Workshop on Rapid Malcode, October 27, pp. 11–18. ACM Press, New York (2003)
Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium, August 9-13 (2004)
Williamson, M.M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of The 18th Annual Computer Security Applications Conference (ACSAC 2002), December 9-13 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Schechter, S.E., Jung, J., Berger, A.W. (2004). Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds) Recent Advances in Intrusion Detection. RAID 2004. Lecture Notes in Computer Science, vol 3224. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30143-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-30143-1_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23123-3
Online ISBN: 978-3-540-30143-1
eBook Packages: Springer Book Archive