by Xinzhou Qin, David Dagon, Guofei Gu, Wenke Lee
ftp://ftp.cc.gatech.edu/pub/coc/tech_reports/2004/GIT-CC-04-04.pdf
Add To MetaCart
Abstract:
The need for a global monitoring system for Internet worm detection is clear. Likewise, the need for local detection and response is also obvious. In this study, we used a large data set to review some of the worm monitoring and detection strategies proposed for large networks, and found them difficult to apply to local networks. In particular, the Kalman filter and victim number-based approaches proved unsuitable for smaller networks. They are of course appropriate for large systems, but what work well for local networks? We propose two algorithms tailored for local network monitoring needs. First, the Destination Source Correlation (DSC) algorithm focuses on the infection relation, and tracks real infected hosts (and not merely scans) to provide an accurate response. Second, the HoneyStat system provides a way to track the short-term infection behavior used by worms. Potentially, this provides a basis for statistical inference about a worm’s behavior on a network. 1
Citations
|
797
|
A new approach to linear filtering and predictionn problems
– Kalman
- 1960
|
|
144
|
Code-Red: a case study on the spread and victims of an Internet worm
– Moore, Shannon, et al.
- 2002
|
|
121
|
Code red worm propagation modeling and analysis
– Zou, Gong, et al.
- 2002
|
|
94
|
Monitoring and early warning for internet worms
– Zou, Gao, et al.
- 2003
|
|
93
|
Modeling the spread of active worms
– Chen, Gao, et al.
- 2003
|
|
93
|
A virtual honeypot framework
– Provos
- 2004
|
|
78
|
Directed-graph Epidemiological Models of Computer Viruses
– Kephart, White
- 1991
|
|
72
|
Honeypots: Tracking Hackers
– Spitzner
- 2002
|
|
51
|
Anomaly Detection of Webbased Attacks
– Kruegel, Vigna
- 2003
|
|
44
|
Measuring and modeling computer virus prevalence
– KEPHART, R
- 1993
|
|
41
|
An Effective Architecture and Algorithm for Detecting Worms with Various Scan Techniques
– Wu, Vanagala, et al.
- 2004
|
|
37
|
Network telescopes: Observing small or distant security events
– Moore
- 2002
|
|
29
|
Computers and epidemiology
– Kephart, Chess, et al.
- 1993
|
|
25
|
Routing worm: A fast, selective attack worm based on IP address information
– Zou, Towsley, et al.
- 2005
|
|
24
|
Warhol Worm: The Potential for Very Fast Internet Plagues
– Weaver
|
|
23
|
The use of honeynets to detect exploited systems across large enterprise networks
– Levine, LaBella, et al.
- 2002
|
|
18
|
Using sensor networks and data fusion for early detection of active worms
– Berk, Gray, et al.
- 2000
|
|
15
|
to 0wn the Internet in Your Spare Time
– How
|
|
9
|
Applied Logistic Regression. WileyInterscience
– Hosmer, Lemeshow
- 1989
|
|
5
|
Know Your Enemy: Honeynets. http://project.honeynet.org/papers/honeynet
– Project
- 2001
|
|
5
|
Upper Saddle River
– Skoudis, Hack
- 2002
|
|
4
|
Code red analysis pages: July infestation analysis. http://www.silicondefense.com/cr/july.html
– Staniford
- 2001
|
|
2
|
internet traffic storage. http://wad.cs.waikato.ac.nz/wand/wits/index.html
– Waikato
|
