Automated worm fingerprinting

Automated worm fingerprinting (2004)

Cached

Download Links

Other Repositories/Bibliography

DBLP

by Sumeet Singh , Cristian Estan , George Varghese , Stefan Savage

Venue:	In OSDI
Citations:	239 - 6 self

BibTeX

@INPROCEEDINGS{Singh04automatedworm,
    author = {Sumeet Singh and Cristian Estan and George Varghese and Stefan Savage},
    title = {Automated worm fingerprinting},
    booktitle = {In OSDI},
    year = {2004},
    pages = {45--60}
}

Years of Citing Articles

Bookmark

OpenURL

Abstract

Network worms are a clear and growing threat to the security of today’s Internet-connected hosts and networks. The combination of the Internet’s unrestricted connectivity and widespread software homogeneity allows network pathogens to exploit tremendous parallelism in their propagation. In fact, modern worms can spread so quickly, and so widely, that no human-mediated reaction can hope to contain an outbreak. In this paper, we propose an automated approach for quickly detecting previously unknown worms and viruses based on two key behavioral characteristics – a common exploit sequence together with a range of unique sources generating infections and destinations being targeted. More importantly, our approach – called “content sifting ” – automatically generates precise signatures that can then be used to filter or moderate the spread of the worm elsewhere in the network. Using a combination of existing and novel algorithms we have developed a scalable content sifting implementation with low memory and CPU requirements. Over months of active use at UCSD, our Earlybird prototype system has automatically detected and generated signatures for all pathogens known to be active on our network as well as for several new worms and viruses which were unknown at the time our system identified them. Our initial experience suggests that, for a wide range of network pathogens, it may be practical to construct fully automated defenses – even against so-called “zero-day” epidemics. 1

Citations

564	Bro: A system for detecting network intruders in real-time. Computer Networks - Paxson - 1999
425	How to own the internet in your spare time - Staniford, Paxson, et al. - 2002
284	Probabilistic Counting Algorithms for Data Base - Flajolet, Martin - 1985
267	New Directions in Traffic Measurement and Accounting - Estan, Varghese - 2001
261	B.: Autograph: Toward automated, distributed worm signature detection - Kim, Karp
255	Inferring Internet denial-ofservice activity,” presented at the Usenix Security Symp - Moore, Voelker, et al. - 2001
252	Internet Quarantine: Requirements for Containing Self-Propagating Code - Moore, Shannon, et al. - 2003
240	A lowbandwidth network file system - Muthitacharoen, Chen, et al. - 2001
222	Code-Red: a case study on the spread and victims of an internet worm - Moore, Shannon, et al. - 2002
184	New sampling-based summary statistics for improving approximate query answers - Gibbons, Matias - 1998
176	Trajectory sampling for direct traffic observation - Duffield, Grossglauser - 2001
176	Finding Similar Files in a Large File System - Manber - 1994
175	Fingerprinting by random polynomials - Rabin - 1981
146	Shield: Vulnerability-driven network filters for preventing known vulnerability exploits - Wang, Guo, et al. - 2004
144	Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics,” Proc. Ninth USENIX Security Symp., 2000. 7. AUTHORS PROFILE N. Kannaiya Raja received degree MCA from Alagappa University and ME from Anna University Chennai - Handley, Paxson, et al.
142	Honeycomb - creating intrusion detection signatures using honeypots - Kreibich, Crowcroft - 2003
134	Automatically inferring patterns of resource consumption in network traffic - Estan, Savage, et al. - 2003
115	Computer viruses: theory and experiments - Cohen - 1987
98	A protocol independent technique for eliminating redundant network traffic - Spring, Wetherall - 2000
90	The Spread of the Witty Worm - Shannon, Moore - 2004
78	Bitmap algorithms for counting active flows on high speed links - Estan, Varghese, et al. - 2003
74	H.: A Linear-time Probabilistic Counting Algorithm for Database Applications - Hwang, Vander-Zanden, et al. - 1990
69	Implementing and Testing a Virus Throttle - Twycross, Williamson - 2003
65	The spread of the sapphire/slammer worm - Moore, Paxson, et al. - 2003
64	The Internet Worm: Crisis and Aftermath - Spafford - 1989
56	Containment of scanning worms in enterprise networks - Staniford
51	The EarlyBird System for Real-time Detection of Unknown Worms - Singh, Estan, et al. - 2003
44	Automatic Extraction of Computer Virus Signatures - Kephart, William - 1994
42	Network telescopes - Moore, Shannon, et al. - 2004
33	The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks - Levin, LaBella, et al. - 2003
30	With microscope and tweezers: The worm from MIT’s perspective - Rochlis, Eichin - 1989
18	T.: Internet Worm and Virus Protection in Dynamically Reconfigurable Hardware - Lockwood, Moscola, et al. - 2003
4	BlackHole Route Server and Tracking Traffic on an IP Network. http://www.secsup.org/Tracking - Morrow
2	Insertion, Evasion and Denial-of-Service: Eluding Network Intrusion Detection - Ptacek, Newsham - 1998
1	Method to analyze a program for presence of computer viruses by examining the opcode for faults before emulating instruction in emulator. U.S. Patent 5,964,889 - Nachenberg - 1999
1	Cisco Security Agent ROI: Deploying - Systems, Inc
1	Computer Economics VP Research Statement to Reuters News Service - Erbschloe - 2001
1	Real-time Detection of Known and Unknown Worms - Singh, Estan, et al. - 2003
1	Accuracy bounds for the scaled bitmap data structure - Singh, Estan, et al. - 2004
1	Detecting Public Network Attacks using Signatures and Fast Content Analysis. United States Patent Application - Singh, Varghese, et al.