The monitoring and early detection of internet worms

IEEE/ACM Transactions on Networking

Volumn 13, Issue 5, 2005, Pages 961-974

  Zou, Cliff C ^a   Gong, Weibo ^b   Towsley, Don ^c   Gao, Lixin ^b  

^a University of Central Florida   (United States)

^b University of Massachusetts   (United States)

^c Biologically Inspired Neural and Dynamical Systems Laboratory   (United States)

Author keywords

Computer network security; Early detection; Internet worm; Network monitoring

Indexed keywords

COMPUTER SIMULATION; COMPUTER SYSTEM FIREWALLS; COMPUTER WORMS; KALMAN FILTERING; MATHEMATICAL MODELS; SECURITY OF DATA; SYSTEMS ANALYSIS; TELECOMMUNICATION TRAFFIC;

COMPUTER NETWORK SECURITY; INTERNET WORMS; NETWORK MONITORING; WORM MONITORING SYSTEM;

INTERNET;

EID: 28044469549     PISSN: 10636692     EISSN: None     Source Type: Journal    
DOI: 10.1109/TNET.2005.857113     Document Type: Article

References (50)

1. Symantec Corp.: Symantec Early Warning Solutions [Online]. Available: http://enterprisesecurity.symantec.com/SecurityServices/
2. eEye Digital Security: ida "Code Red" Worm (2001). [Online]. Available: http://www.eeye.com/html/Research/Advisories/AL20010717.html
3. eEye Digital Security: Blaster Worm Analysis (2003). [Online]. Available: http://www.eeye.com/html/Research/Advisories/AL20030811.html
4. B. D. O. Anderson and J. Moore, Optimal Filtering. Englewood Cliffs, NJ: Prentice Hall, 1979.
5. D. Anderson, T. Frivold, and A. Valdes, "Next-Generation Intrusion Detection Expert System (Nides): A Summary," SRI International, Tech. Rep. SRI-CSL-95-07, May 1995.
6. V. H. Berk, R. S. Gray, and G. Bakos, "Using sensor networks and data fusion for early detection of active worms," presented at the SPIE AeroSense Symp., Orlando, FL, 2003.
7. Cooperative Association for Internet Data Analysis (CAIDA). [Online]. Available: http://www.caida.org
8. CERT Coordination Center. [Online]. Available: http://www.cert.org
9. CERT/CC Advisories. [Online]. Available: http://www.cert.orgladvisories/
10. Z. Chen, L. Gao, and K. Kwiat, "Modeling the spread of active worms," in Proc. IEEE INFOCOM, Mar. 2003, pp. 1890-1900.
11. D. Dagon, X. Qin, G. Gu, W. Lee, J. Grizzard, J. Levin, and H. Owen. "Honeystat: Local worm detection using honeypots," in Proc. 7th Int. Symp. Recent Advances in Intrusion Detection (RAID), Sep. 2004, pp. 39-58.
12. D. J. Daley and J. Gani, Epidemic Modeling: An Introduction. Cambridge, U.K.: Cambridge Univ. Press, 1999.
13. D. Denning, "An intrusion detection model," IEEE Trans. Software Eng., vol. SE-13, no. 2, pp. 222-232, Feb. 1987.
14. D. Goldsmith. Incidents Maillist: Possible Codered Connection Attempts. [Online]. Available: http://lists.jammed.comlincidents/2001/07/0149.html
15. S. A. Hofmeyr, S. Forrest, and A. Somayaji, "Intrusion detection using sequences of system calls," J. Comput. Security, vol. 6, no. 3, pp. 151-180, 1998.
16. Honeynet Project. Know Your Enemy: Honeynets. [Online]. Available: http://www.honeynet.org/papers/gen2/index.html
17. Internet Storm Center. [Online]. Available: http://isc.sans.org/
18. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," in Proc. IEEE Symp. Security and Privacy, May 2004, pp. 211-225.
19. J. Jung, S. E. Schechter, and A. W. Berger, "Fast detection of scanning worm infections," in Proc. 7th Int. Symp. Recent Advances in Intrusion Detection (RAID), Sep. 2004, pp. 59-81.
20. J. O. Kephart, S. R. White, and D. M. Chess, "Computers and epidemiology," IEEE Spectrum, vol. 30, no. 5, pp. 20-26, May 1993.
21. J. O. Kephart and S. R. White, "Directed-graph epidemiological models of computer viruses," in Proc. IEEE Symp. Security and Privacy, 1991, pp. 343-359.
22. J. O. Kephart and S. R. White, "Measuring and modeling computer virus prevalence," in Proc. IEEE Symp. Security and Privacy, 1993, pp.2-15.
23. H. Kim and B. Karp, "Autograph: Toward automated, distributed worm signature detection," in Proc. 13th USENIX Security Symp., San Diego, CA, Aug. 2004.
24. W. Lee and S. Stolfo, "A framework for constructing features and models for intrusion detection systems," ACM Trans. Inf. Syst. Security, vol. 3, no. 4, pp. 227-261, Nov. 2000.
25. L. Ljung and T. Soderstrom, Theory and Practice of Recursive Identification. Cambridge, MA: MIT Press, 1983.
26. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer worm," IEEE Security and Privacy Mag., vol. 1, no. 4, pp. 33-39, Jul. 2003.
27. D. Moore, C. Shannon, and J. Brown, "Code-Red: A case study on the spread and victims of an Internet worm," in Proc. 2nd ACM SIGCOMM Workshop an Internet Measurement, Nov. 2002, pp. 273-284.
28. D. Moore, C. Shannon, G. M. Voelker, and S. Savage, "Internet quarantine: Requirements for containing self-propagating code," in Proc. IEEE INFOCOM, Mar. 2003, pp. 1901-1910.
29. D. Moore, C. Shannon, G. M. Voelker, and S. Savage, "Network Telescopes," CAIDA, Tech. Rep. TR-2004-04, 2004.
30. R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, "Characteristics of Internet background radiation," in Proc. Internet Measurement Conf. (IMC), Oct. 2004, pp. 27-40.
31. N. Provos, "A virtual honeypot framework," in Proc. 13th USENIX Security Symp., Aug. 2004, pp. 1-14.
32. SANS Inst. [Online]. Available: http://www.sans.org
33. D. Seeley, "A tour of the worm," in Proc. Winter USENIXConf., Jan. 1989, pp. 287-304.
34. C. Shannon and D. Moore. (2004, Mar.) The Spread of the Witty Worm. [Online]. Available: http://www.caida.orglanalysis/security/witty/
35. S. Singh, C. Estan, G. Varghese, and S. Savage, "Automated worm fingerprinting," in Proc. 6th ACM/USENIX Symp. Operating System Design and Implementation (OSDI), Dec. 2004, pp. 45-60.
36. S. Staniford, "Containment of scanning worms in enterprise networks," J. Comput. Security, to be published.
37. S. Staniford, V. Paxson, and N. Weaver, "How to own the Internet in your spare time," in Proc. USENIK Security Symp., Aug. 2002, pp. 149-167.
38. S. Staniford-Chen, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle, "GrIDS-A graph-based intrusion detection system for large networks," in Proc. 19th Nat. Information Systems Security Cong, Oct. 1996, pp. 361-370.
39. A. Valdes and K. Skinner, "Adaptive, model-based monitoring for cyber attack detection," in Proc. 3th Int. Symp. Recent Advances in Intrusion Detection (RAID), Oct. 2000, pp. 80-92.
40. D. Verton. (2003, Oct.) DHS Launches Cybersecurity Monitoring Project. [Online]. Available: http://www.peworld.com/news/article/ 0,aid,112764,00.asp
41. N. Weaver, S. Staniford, and V. Paxson, "Very fast containment of scanning worms," in Proc. 13th USENIX Security Symp., Aug. 2004, pp. 29-44.
42. M. M. Williamson, "Throttling viruses: Restricting propagation to defeat mobile malicious code," presented at the 18th Annu. Computer Security Applications Conf., Las Vegas, NV, Dec. 2002.
43. J. Wu, S. Vangala, L. Gao, and K. Kwiat, "An efficient architecture and algorithm for detecting worms with various scan techniques," presented at the 11th Annu. Network and Distributed System Security Symp. (NDSS'04), San Diego, CA, Feb. 2004.
44. C. C. Zou. (2004, Feb.) Internet Worm Propagation Simulator. [Online]. Available: http://www.cs.uef.edu/~czou/research/wormSimulation.html
45. C. C. Zou, L. Gao, W. Gong, and D. Towsley, "Monitoring and early warning for Internet worms," in Proc. 10th ACM Conf. Computer and Communications Security (CCS'03), Washington, DC, Oct. 2003, pp. 190-199.
46. C. C. Zou, W. Gong, and D. Towsley, "Code red worm propagation modeling and analysis," in Proc. 9th ACM Conf. Computer and Communications Security (CCS'02), 2002, pp. 138-147.
47. C. C. Zou, W. Gong, and D. Towsley, "Worm propagation modeling and analysis under dynamic quarantine defense," in Proc. ACM CCS Workshop on Rapid Malcode (WORM'03), Oct. 2003, pp. 51-60.
48. C. C. Zou, D. Towsley, and W. Gong, "On the performance of Internet worm scanning strategies," J. Performance Evaluation, to be published.
49. C. C. Zou, D. Towsley, and W. Gong, "Email worm modeling and defense," in Proc. 13th Int. Conf. Computer Communications and Networks (ICCCN'04), Oct. 2004, pp. 409-414.
50. C. C. Zou, D. Towsley, W. Gong, and S. Cai, "Routing worm: A fast, selective attack worm based on IP address information," in Proc. 19th Workshop on Principles of Advanced and Distributed Simulation (PADS'05), Jun. 2005, pp. 199-206.