A monitoring system for detecting repeated packets with applications to computer worms

International Journal of Information Security

Volumn 5, Issue 3, 2006, Pages 186-199

  van Oorschot, Paul C ^a   Robert, Jean Marc ^b   Martin, Miguel Vargas ^c  

^a CARLETON UNIVERSITY   (Canada)

^b Research and Innovation Centre Security Group   (Canada)

^c UNIVERSITY OF ONTARIO INSTITUTE OF TECHNOLOGY   (Canada)

Author keywords

Anomaly detection; Computer worms; Intrusion detection; Network security; Traffic monitoring

Indexed keywords

EID: 33745133346     PISSN: 16155262     EISSN: 16155270     Source Type: Journal    
DOI: 10.1007/s10207-006-0081-8     Document Type: Article

References (63)

1. Anderson, T., Mahajan, R., Spring, N., Wetherall, D.: Rocketfuel: An ISP topology mapping engine (2003). http://www.cs.washington.edu/research/ networking/rocketfuel/ [Accessed: August 2, 2003]
2. Barbour, A., Holst, L., Janson, S.: Poisson Approximation. Oxford University Press, New York (1992)
3. Bertsekas, D., Gallager, R.: Data Networks. Prentice Hall, Englewood Cliffs, NJ (1992)
4. Bloom, B.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13 (17), 422-426 (1970)
5. Boutsikas, M., Koutras, M.: On the number of overflown urns and excess balls in an allocation model with limited urn capacity. Stat. Plan. Inference 104, 259-286 (2002)
6. Broder, A., Kumar, R., Maghoul, F., Raghavan, P., Rajagopalan, S., Stata, R., Tomkins, A., Wiener, J.: Graph structure in the Web. Newblock Comput. Netw. 33 (1-6), 309-320 (2000)
7. Broder, A., Mitzenmacher, M.: Network applications of Bloom filters: A survey. Internet Math. 1 (4), 485-509 (2003-2004)
8. CERIAS Intrusion Detection Research Group, T.: Digging for worms, fishing for answers. In: Proceedings of the Annual Computer Security Application Conference (ACSAC'02). Las Vegas (2002)
9. Chen, X., Heidemann, J.: Detecting early worm propagation through packet matching. Tech. Rep. ISI-TR-2004-585, University of Southern California (2004)
10. Cormen, T., Leiserson, C., Rivest, R., Stein, C.: Introduction to Algorithms, 2nd edn. MIT Press, McGraw-Hill, New York (2001)
11. Crosby, S., Wallach, D.: Denial of service via algorithmic complexity attacks. In: Proceedings of the 12th USENIX Security Symposium. Washington, DC (2003)
12. Daley, D., Gani, J.: Epidemic Modelling: An Introduction. Cambridge University Press, Cambridge, UK (1999)
13. Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel Bloom filters. In: Symposium on High Performance Interconnects (HotI), pp. 44-51. Stanford, CA (2003)
14. Dharmapurikar, S., Krishnamurthy, P., Taylor, D.: Longest prefix matching using Bloom filters. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'03), pp. 201-212. Karlsruhe, Germany (2003)
15. Dharmapurikar, S., Paxson, V.: Robust TCP stream reassembly in the presence of adversaries. In: Proceedings of the 14th USENIX Security Symposium. Baltimore (2005)
16. Faloutsos, M., Faloutsos, P., Faloutsos, C.: On power-law relationships of the Internet topology. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'99), pp. 251-262. Boston/Cambridge, MA (1999)
17. Fan, L., Cao, P., Almeida, J., Broder, A.: Summary cache: A scalable wide-area Web cache sharing protocol. IEEE/ACM Trans. Netw. 8 (3), 281-293 (2000)
18. Feller, W.: An Introduction to Probability Theory and its Applications, vol. 1, 3rd edn. Wiley, New York (1968)
19. Fyodor: The art of port scanning. Phrack Mag. 7 (51)H(1997). URL: http://www.phrack.org [Accessed: March 6, 2003]
20. Garey, M., Johnson, D.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)
21. Goh, E.J.: Secure indexes. Cryptology ePrint Archive, Report 2003/216 (2003). URL: http://eprint.iacr.org/2003/216/ [Accessed: January 7, 2004]
22. Grembowski, T., Lien, R., Gaj, K., Nguyen, N., Bellows, P., Flidr, J., Lehman, T., Schott, B.: Comparative analysis of the hardware implementations of hash functions SHA-1 and SHA-512. In: Proceedings of Information Security Conference (ISC 2002), Lecture Notes in Computer Science, vol. 2433, pp. 75-89. Springer, Sao Paulo, Brazil (2002)
23. Handley, M., Kreibich, C., Paxson, V.: Network intrusion detection: Evasion, traffic normalization, and end-to-end protocol semantics. In: Proceedings of the 10th USENIX Security Symposium. Washington, DC (2001)
24. Horne, B., Matheson, L., Sheehan, C., Tarjan, R.: Dynamic self-checking techniques for improved tamper resistance. In: Proceedings of the First ACM Workshop on Digital Rights Management (DRM 2001), Lecture Notes in Computer Science, vol. 2320, pp. 141-159. Springer, Berlin Heidelberg New York (2002)
25. Joag-Dev, K., Proschan, F.: Negative association of random variables, with applications. Ann. Stat. 11 (1), 286-295 (1983)
26. Jung, J., Paxson, V., Berger, A., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy. Oakland (2004)
27. Kim, H.A., Karp, B.: Autograph: Toward automated, distributed worm signature detection. In: Proceedings of 13th USENIX Security Symposium. San Diego, CA (2004)
28. Kumar, A., Xu, J., Li, L., Wang, J.: Space-code Bloom filter for efficient traffic flow measurement. In: Proceedings of IMC. Miami Beach, FL (2003)
29. Levy, E.: Worm propagation and generic attacks. IEEE Secur. Priv. 3 (2), 63-65 (2005)
30. Liljenstam, M.: Modeling of security and systems. A network worm modeling package for SSFNet (2003). http://www.crhc.uiuc.edu/mili/ research/ssf/worm/ [Accessed: September 10, 2004]
31. Mahajan, R., Spring, N., Wetherall, D., Anderson, T.: Inferring link weight using end-to-end measurements. In: Proceedings of the Internet Measurement Workshop 2002 (IMW'02). Marseille, France (2002)
32. Matrawy, A., van Oorschot, P., Somayaji, A.: Mitigating network denial-of-service through diversity-based traffic management. In: Proceedings of the 3rd Annual Conference on Applied Cryptography and Network Security (ACNS 2005), Lecture Notes in Computer Science, vol. 3531, pp. 104-121. Springer, New York (2005)
33. McHugh, J.: Testing intrusion detection systems: A critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) 3 (4), 262-294 (2000)
34. MIT Lincoln Laboratory: DARPA intrusion detection evaluation: Data sets (1999). http://www.ll.mit.edu/IST/ideval/data/data_index.html [Accessed: April 1, 2004]
35. Mitzenmacher, M.: Compressed Bloom filters. In: Proceedings of the 20th Annual ACM Symposium on Principles of Distributed Computing (PODC 2001), pp. 144-150. Newport, RI (2001)
36. Moore, D., Paxon, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer worm. IEEE Secur. Priv. 1 (4), 33-39 (2003)
37. Nachenberg, C.: Computer virus-antivirus coevolution. Commun. ACM 40 (1), 46-51 (1997)
38. Nevelsteen, W., Preneel, B.: Software performance of universal hash functions. In: Proceedings of Eurocrypt'99, pp. 24-41. Prague, Czech Republic (1999)
39. Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy. Oakland, CA (2005)
40. NS-2: The network simulator - NS-2 (2003). http://www.isi.edu/nsnam/ns/ [Accessed: September 10, 2003]
41. Onut, I.V., Zhu, B., Ghorbani, A.: A novel visualization technique for network anomaly detection. In: Proceedings of the 2nd Annual Conference on Privacy, Security and Trust. Fredericton, Canada (2004)
42. OPNET Technologies Inc.: Opnet modeler (2003). http://www.opnet.com [Accessed: September 10, 2003]
43. Park, K., Lee, H.: On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'01). San Diego, CA (2001)
44. Ptacek, T.H., Newsham, T.N.: Insertion, evasion and denial of service: Eluding network intrusion detection. Tech. rep., Secure Networks, Inc. (1998). http://www.aciri.org/vern/Ptacek-Newsham-Evasion-98.ps [Accessed: November 6, 2005]
45. Rabin, M.: Fingerprinting by random polynomials. Technical Report TR-15-81, Center for Research in Computing Technology, Harvard University, Cambridge, MA (1981)
46. Shanmugasundaram, K., Brönnimann, H., Memon, N.: Payload attribution via hierarchical Bloom filters. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04). Washington, DC (2004)
47. Shannon, C., Moore, D.: The spread of the Witty worm (2004). http://www.caida.org/analysis/security/witty/ [Accessed: June 18, 2004]
48. Singh, S., Estan, C., Varghese, G., Savage, S.: The EarlyBird system for real-time detection of unknown worms. Technical Report CS2003-0761, University of California, San Diego, CA (2003)
49. Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of the 6th USENIX Symposium on Operating Systems Design & Implementation (OSDI'04). San Francisco (2004)
50. Snoeren, A., Partridge, C., Sanchez, L., Jones, C., Tchakountio, F., Kent, S., Strayer, W.: Hash-based IP traceback. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'01). San Diego, CA (2001)
51. Spring, N., Mahajan, R., Wetherall, D.: Measuring ISP topologies with Rocketfuel. In: Proceedings of the Special Interest Group on Data Communication (SIGCOMM'02). Pittsburgh, PA (2002)
52. SSFNet: Scalable simulation framework network models (2003). http://www.ssfnet.org/homePage.html [Accessed: September 10, 2003]
53. Toth, T., Kruegel, C.: Connection-history based anomaly detection. In: Proceedings of the 2002 IEEE Workshop on Information Assurance and Security. New York (2002)
54. Twycross, J., Williamson, M.: Implementing and testing a virus throttle. In: Proceedings of the 12th USENIX Security Symposium. Washington, DC (2003)
55. Valdes, A., Fong, M.: Scalable visualization of propagating Internet phenomena. In: Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security. Washington, DC (2004)
56. Vargas Martin, M.: A monitoring system for mitigating fast propagating worms in the network infrastructure. In: Proceedings of the 18th IEEE Canadian Conference on Electrical and Computing Engineering (CCECE'05). Saskatoon, Canada (2005)
57. Venkataraman, S., Song, D., Gibbons, P., Blum, A.: New streaming algorithms for fast detection of superspreaders. In: The Internet Society Proceedings of the Network and Distributed System Security Symposium (NDSS'05). San Diego, CA (2005)
58. Wang, K., Stolfo, S.: Anomalous payload-based network intrusion detection. In: Proceedings of the Seventh International Symposium on Recent Advances in Intrusion Detection (RAID 2004). Sophia Antipolis, France (2004)
59. Watts, D.: Small Worlds: The Dynamics of Networks Between Order and Randomness. Princeton University Press, Princeton, NJ (1999)
60. Weaver, N., Paxson, V., Staniford, S., Cunningham, R.: A taxonomy of computer worms. In: Proceedings of ACM WORM'03. Washington, DC (2003)
61. Weaver, N., Staniford, S., Paxson, V.: Very fast containment of scanning worms. In: Proceedings of the 13th USENIX Security Symposium. San Diego, CA (2004)
62. Williamson, M.: Throttling viruses: Restricting propagation to defeat malicious mobile code. In: Proceedings of the Annual Computer Security Application Conference (ACSAC'02). Las Vegas (2002)
63. Zou, C., Gong, W., Towsley, D.: Code Red worm propagation modeling and analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS'02). Washington, DC (2002)