WormShield: Fast worm signature generation with distributed fingerprint aggregation

IEEE Transactions on Dependable and Secure Computing

Volumn 4, Issue 2, 2007, Pages 88-104

  Cai, Min ^a,b   Hwang, Kai ^a,b   Pan, Jianping ^a,c   Papadopoulos, Christos ^a,d  

^a IEEE

^b University of Southern California   (United States)

^c UNIVERSITY OF VICTORIA   (Canada)

^d Department of Computer Science   (United States)

Author keywords

Cardinality counting; Distributed aggregation tree; Distributed hash table; Internet worms; Network security; Signature generation; Traffic measurement; Worm containment

Indexed keywords

COMPUTER SIMULATION; COMPUTER WORMS; INTERNET; NETWORK SECURITY; TELECOMMUNICATION TRAFFIC; TREES (MATHEMATICS);

DISTRIBUTED AGGREGATION TREE; DISTRIBUTED HASH TABLE; INTERNET WORMS; TRAFFIC MEASUREMENT;

ELECTRONIC DOCUMENT IDENTIFICATION SYSTEMS;

EID: 33847742744     PISSN: 15455971     EISSN: None     Source Type: Journal    
DOI: 10.1109/TDSC.2007.1000     Document Type: Article

References (42)

1. M. Bailey, E. Cooke, F. Jahanian, and D. Watson, "The Blaster Worm Then and Now," IEEE Security and Privacy Magazine, vol. 3, no. 4, pp. 26-31, July/Aug. 2005.
2. S.M. Bellovin, A. Keromytis, and B. Cheswick, "Worm Propagation Strategies in an IPV6 Internet," ;LOCIN: The USENIX Magazine, vol. 31, no. 1, pp. 70-76, Feb. 2006.
3. M. Cai, K. Hwang, Y.-K. Kwok, S. Song, and Y. Chen, "Collaborative Internet Worm Containment," IEEE Security and Privacy Magazine, vol. 3, no. 3, pp. 25-33, May/June 2005.
4. M. Cai, J. Pan, Y.-K. Kwok, and K. Hwang, "Fast and Accurate Traffic Matrix Measurement Using Adaptive Cardinality Counting," Proc. ACM SIGCOMM MineNet '05 Workshop, Aug. 2005.
5. M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D.S. Wallach, "Secure Routing for Structured Peer-to-Peer Overlay Networks," Proc. Fifth Symp. Operating Systems Design and Implementation (OSDI '02), pp. 299-314, 2002.
6. M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham, "Vigilante: End-to-End Containment of Internet Worms," Proc. 20th ACM Symp. Operating Systems Principles (SOSP), Oct. 2005.
7. J.R. Crandall, Z. Su, S.F. Wu, and F.T. Chong, "On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits," Proc. 12th ACM Conf. Computer and Comm. Security, Nov. 2005.
8. A. Czirok, H.E. Stanley, and T. Vicsek, "Possible Origin of Power-Law Behavior in n-Tuple Zipf Analysis," Physical Rev. E, vol. 53, no. 6, June 1996.
9. M. Durand and P. Flajolet, "Loglog Counting of Large Cardinalities," Proc. 11th Ann. European Symp. Algorithms (ESA), Sept. 2003.
10. D. Ellis, "Worm Anatomy and Model," Proc. 2003 ACM Workshop Rapid Malcode (WORM '03), pp. 42-50, 2003.
11. C. Estan and G. Varghese, "New Directions in Traffic Measurement and Accounting: Focusing on the Elephants, Ignoring the Mice," ACM Trans. Computer Systems, 2003.
12. A. Fiat, J. Saia, and M. Young, "Making Chord Robust to Byzantine Attacks," Proc. European Symp. Algorithms (ESA), 2005.
13. K. Hwang, Y.-K. Kwok, S. Song, M. Cai, Y. Chen, and Y. Chen, "DHT-Based Security Infrastructure for Trusted Internet and Grid Computing," Int'l J. Critical Infrastructures, vol. 2, no. 4, 2005.
14. J. Jung, V. Paxson, A. Berger, and H. Balakrishnan, "Fast Portscan Detection Using Sequential Hypothesis Testing," Proc. IEEE Symp. Security and Privacy, May 2004.
15. J. Kannan, L. Subramanian, I. Stoica, and R.H. Katz, "Analyzing Cooperative Containment of Fast Scanning Worms," Proc. Usenix SRUTI 2005 Workshop, July 2005.
16. H.-A. Kim and B. Karp, "Autograph: Toward Automated, Distributed Worm Signature Detection," Usenix Security, 2004.
17. C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna, "Polymorphic Worm Detection Using Structural Information of Executables," Proc. Eighth Symp. Recent Advances in Intrusion Detection (RAID), Sept. 2005.
18. A. Kumar, M. Sung, J. Xu, and J. Wang, "Data Streaming Algorithms for Efficient and Accurate Estimation of Flow Size Distribution," ACM SIGMETRICS Performance Evaluation Rev., pp. 177-188, 2004.
19. J. Li and D.-Y. Lim, "A Robust Aggregation Tree on Distributed Hash Tables," Proc. MIT Student Oxygen Workshop (SOW '04), Sept. 2004.
20. W. Li, "Random Texts Exhibit Zipf's-Law-Like Word Frequency Distribution," IEEE Trans. Information Theory, vol. 38, no. 6, Nov. 1992.
21. Z. Li, M. Sanghi, B. Chavez, Y. Chen, and M.-Y. Kao, "Hamsa: Fast Signature Generation for Zero-Day Polymorphic Worms with Provable Attack Resilience," Proc. IEEE Symp. Security and Privacy, May 2006.
22. M. Liljenstam, D.M. Nicol, V.H. Berk, and R.S. Gray, "Simulating Realistic Network Worm Traffic for Worm Warning System Design and Testing," Proc. 2003 ACM Workshop Rapid Malcode (WORM '03), pp. 24-33, 2003.
23. M.E. Locasto, J. Parekh, A.D. Keromytis, and S. Stolfo, "Towards Collaborative Security and P2P Intrusion Detection," Proc. Sixth Ann. IEEE SMC Information Assurance Workshop (IAW), pp. 333-339, June 2005.
24. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, "Inside the Slammer Worm," IEEE Security and Privacy, Aug. 2003.
25. D. Moore, C. Shannon, and K. Claffy, "Code-Red: A Case Study on the Spread and Victims of an Internet Worm," Proc. Second ACM SIGCOMM Workshop Internet Measurement, pp. 273-284, 2002.
26. D. Moore, C. Shannon, G.M. Voelker, and S. Savage, "Internet Quarantine: Requirements for Containing Self-Propagating Code," Proc. 22nd Conf. Computer Comm., 2003.
27. J. Newsome, B. Karp, and D. Song, "Polygraph: Automatic Signature Generation for Polymorphic Worms," Proc. IEEE Security and Privacy Symp., May 2005.
28. V. Paxson, "Bro: A System for Detecting Network Intruders in Real Time," Computer Networks, vol. 31, no. 23-24, pp. 2435-2463, 1999.
29. M.O. Rabin, "Fingerprinting by Random Polynomials," technical report, Center for Research in Computing Technology, Harvard Univ., 1981.
30. M. Roesch, "Snort - Lightweight Intrusion Detection for Networks," Proc. Usenix 13th Systems Administration Conf. (LISA '99), pp. 229-238, 1999.
31. S. Schleimer, D.S. Wilkerson, and A. Aiken, "Winnowing: Local Algorithms for Document Fingerprinting," Proc. 2003 ACM SIGMOD Int'l Conf. Management of Data (SIGMOD '03), pp. 76-85, 2003.
32. S. Singh, C. Estan, G. Varghese, and S. Savage, "Automated Worm Fingerprinting," Proc. ACM/Usenix Symp. Operating System Design and Implementation, Dec. 2004.
33. E. Sit and R. Morris, "Security Considerations for Peer-to-Peer Distributed Hash Tables," Proc. First Int'l Workshop Peer-to-Peer Systems, pp. 261-269, 2002.
34. L. Spitzner, Honeypots: Tracking Hackers. Addison-Wesley, 2002.
35. I. Stoica, R. Morris, D. Karger, F. Kaashoek, and H. Balakrishnan, "Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications," Proc. 2001 ACM Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm. (SIGCOMM), 2001.
36. H.J. Wang, C. Guo, D.R. Simon, and A. Zugenmaier, "Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits," Proc. 2004 ACM Conf. Applications, Technologies, Architectures, and Protocols for Computer Comm. (SIGCOMM), pp. 193-204, 2004.
37. K. Wang and S.S.G. Cretu, "Anomalous Payload-Based Worm Detection and Signature Generation," Proc. Eighth Int'l Symp. Recent Advances in Intrusion Detection, Sept. 2005.
38. N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, "A Taxonomy of Computer Worms," Proc. 2003 ACM Workshop Rapid Malcode (WORM '03), pp. 11-18, 2003.
39. N. Weaver, S. Staniford, and V. Paxson, "Very Fast Containment of Scanning Worms," Proc. Usenix Security Symp., pp. 29-44, 2004.
40. K.-Y. Whang, B.T. Vander-Zanden, and H.M. Taylor, "A Linear-Time Probabilistic Counting Algorithm for Database Applications," ACM Trans. Database Systems, vol. 15, no. 2, pp. 208-229, 1990.
41. V. Yegneswaran, P. Barford, and S. Jha, "Global Intrusion Detection in the DOMINO Overlay System," Proc. Network and Distributed System Security Symp. (NDSS), 2004.
42. C.C. Zou, L. Gao, W. Gong, and D.F. Towsley, "Monitoring and Early Warning for Internet Worms," Proc. ACM Conf. Computer and Comm. Security, pp. 190-199, 2003.