This paper presents Netbait, a planetary-scale service for distributed detection of Internet worms. Netbait allows users to pose queries that identify which machines on a given network have been compromised based on the collective view of a geographically distributed set of machines. It is based on a distributed query processing architecture that evaluates queries expressed using a subset of SQL against a single logical database table. This single logical table is realized using a distributed set of relational databases, each populated by local intrusion detection systems running on Netbait server nodes. For speed, queries in Netbait are processed in parallel by distributing them over dynamically constructed query processing trees built over Tapestry, a distributed object and location routing (DOLR) layer. For efficiency, query results
|
2113
|
Chord: A scalable peer-to-peer lookup service for internet applications
– Stoica, Morris, et al.
|
|
1749
|
A scalable content-addressable network
– Ratnasamy, Francis, et al.
- 2001
|
|
1137
|
Pastry: Scalable, distributed object location and routing for large-scale peer-to-peer systems
– Rowstron, Druschel
- 2001
|
|
827
|
Modeling TCP Throughput: a Simple Model and its Empirical Validation
– Padhye, Firoiu, et al.
- 1998
|
|
768
|
Tapestry: An infrastructure for fault-tolerant wide-area location and routing
– Zhao, Kubiatowicz, et al.
- 2001
|
|
547
|
Tag: a tiny aggregation service for ad-hoc sensor networks
– Madden, Franklin, et al.
- 2002
|
|
431
|
Snort- lightweight intrusion detection for networks
– Roesch
- 1978
|
|
375
|
Accessing nearby copies of replicated objects in a distributed environment
– Plaxton, Rajaraman, et al.
- 1997
|
|
359
|
Overcast: Reliable Multicasting with an Overlay Network
– Jannotti, Gifford, et al.
- 2000
|
|
329
|
A Blueprint for Introducing Disruptive Technology into the Internet
– Peterson, Anderson, et al.
- 2002
|
|
298
|
SCRIBE: A Large-Scale and Decentralized Application-Level Multicast Infrastructure
– Castro, Druschel, et al.
- 2002
|
|
289
|
Bayeux: An Architecture for Scalable and Fault-tolerant Wide-area Data Dissemination
– Zhuang, Zhao, et al.
- 2001
|
|
167
|
Internet quarantine: Requirements for containing self-propagating code
– Moore, Shannon, et al.
- 2003
|
|
167
|
Astrolabe: A robust and scalable technology for distributed system monitoring, management, and data mining
– Renesse, Birman, et al.
|
|
145
|
Bimodal multicast
– Birman, Hayden, et al.
- 1999
|
|
144
|
Code-Red: a case study on the spread and victims of an Internet worm
– Moore, Shannon, et al.
- 2002
|
|
126
|
Distributed object location in a dynamic network
– Hildrum, Kubiatowicz, et al.
|
|
124
|
Lightweight probabilistic broadcast
– Eugster, Handurukande, et al.
|
|
114
|
Complex queries in dht-based peerto-peer networks
– Harren
- 2002
|
|
110
|
The Internet worm program: An analysis
– Spafford
- 1989
|
|
74
|
The ganglia distributed monitoring system: Design, implementation, and experience
– Massie, Chun, et al.
|
|
67
|
The 'worm' programs - early experience with a distributed computation
– Shoch, Hupp
- 1982
|
|
29
|
Efficient epidemic-style protocols for reliable and scalable multicast
– Gupta, Kermarrec, et al.
- 2002
|
|
14
|
Advisory CA-2001-19 `Code Red' Worm Exploiting Buffer Overflow
– Cert
- 2001
|
|
13
|
The “Worm” Programs – Early Experience with Distributed Computation
– Shoch, Hupp
- 1982
|
|
10
|
Advisory CA-2001-26 Nimda Worm
– CERT
- 2001
|
|
6
|
DShield - Distributed Intrusion Detection System.http://dshield.org. [5
– ORG
- 2004
|
|
6
|
Efficient heartbeats and repair of softstate in decentralized object location and routing systems
– Weatherspoon, Kubiatowicz
- 2002
|
|
4
|
The internet worm program: An analysis
– Spaord
- 1988
|
|
3
|
Hiscamp: self-organizing hierarchical membership protocol
– Ganesh, Kermarrec, et al.
- 2002
|
|
2
|
Oceanstore: An architecture for global persistent storage
– Kubiatowicz, Bindel, et al.
- 2000
|
|
2
|
E#cient epidemic-style protocols for reliable and scalable multicast
– Gupta, Kermarrec, et al.
- 2002
|
|
1
|
Cert advisory ca-2001-11: sadmind/iis worm
– CERT
- 2001
|
|
1
|
incident note in-2001-09: Code red ii: Another worm exploiting buffer overflow in iis indexing service dll
– Cert
- 2001
|
|
1
|
Mining a world of smart sensors
– Nath, Deshpande, et al.
- 2002
|
|
1
|
How to 0wn the internet in your space time
– Staniford, Paxson, et al.
- 2002
|
