微信服务号

微信订阅号

2025-5-17- 18
Home > Archive>Volume 18, Issue 2, 2007 >412-421
PDF HTML XML Export Cite reminder
A Coordinated Worm Detection Method Based on Local Nets
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [25]
    • |
  • Related
    • |
  • Cited by [19]
    • | |
  • Comments
    Abstract:

    There are several global detection methods, but they do not apply to local net. A new cooperative approach to automatic detection of worms using local nets is presented in this paper, which is called CWDMLN (coordinated worm detection method based on local nets). This algorithm focuses on scanning worm characteristics in local nets and uses different methods to cope with different worm behaviors, including using honeypots to deceive worms. CWDMLN coordinates these methods to give graded alarms to notify worm attacks. The grades reflect reliability of alarms. Experimental results show that this approach is promising for it can quickly find worm intrusion in local nets and extract unknown worm signatures that can be used for IDS (intrusion detection system) or firewall to prevent more worm threats. This method can also contribute to global worm alarming by scaling.

    Reference
    [1]Lemos R.Fast-Spreading code is weapon of choice for net vandals.2001.http://news.com.com/Year+of+the+Worm/2009-1001_3-254061.html?tag=st.rn#
    [2]CERT.CERT(r) coordination center 2003 annual report.2003.http://www.cert.org/annual_rpts/cert_rpt_03.html
    [3]NCNIPC.Network security analysis report of national computer network intrusion protection center.2004 (in Chinese).http://www.cert.org.cn/articles/statistic/common/2004060321713.shtml
    [4]Moore D,Paxson V,Savage S,Shannon C,Staniford S,Weaver N.Inside the slammer worm.IEEE Security & Privacy,2003,1(4):33-39.
    [5]Staniford S,Moore D,Paxson V,Weaver N.The top speed of flash worms.In:Paxson V,ed.Proc.of the 2004 ACM Workshop on Rapid Malcode.Washington:ACM Press,2004.33-42.
    [6]Zou CC,Gao L,Gong W,Towsley D.Monitoring and early warning for Internet worms.In:Jajodia S,ed.Proc.of the 10th ACM Conf.on Computer and Communication Security.Washington:ACM Press,2003.190-199.
    [7]Berk V,Bakos G,Morris R.Designing a framework for active worm detection on global networks.In:Cole JL,Wolthusen SD,eds.Proc.of the IEEE Int'l Workshop on Information Assurance.Darmstadt:IEEE Computer Society,2003.13-23.
    [8]Berk VH,Gray RS,Bakos G.Using sensor networks and data fusion for early detection of active worms.In:Carapezza EM,eds.Proc.of the SPIE,Vol 5071.Orlando:SPIE,2003.92-104.
    [9]Wu J,Vangala S,Gao L,Kwiat K.An effective architecture and algorithm for detecting worms with various scan techniques.In:Neuman C,ed.Proc.of the Symp.on Network and Distributed Systems Security (NDSS 2004).San Diego:Internet Society,2004.143-156.
    [10]Rajab MA,Monrose F,Terzis A.On the effectiveness of distributed worm monitoring.In:McDaniel P,ed.Proc.of the 14th USENIX Security Symp.Baltimore:USENIX Association,2005.225-237.
    [11]Singh S,Estan C,Varghese G,Savage S.Automated worm fingerprinting.In:Brewer E,Chen P,eds.Proc.of the 6th Symp.on Operating Systems Design and Implementation.San Francisco:USENIX Association,2004.45-60.
    [12]Kim HA,Karp B.Autograph:toward automated,distributed worm signature detection.In:Blaze M,ed.Proc.of the 13th USENIX Security Symp.San Diego:USENIX Association,2004.271-286.
    [13]Madhusudan B,Lockwood J.Design of a system for real-time worm detection.In:Lyles B,Watters A,eds.Proc.of the 12th Annual IEEE Symp.on High Performance Interconnects (Hot-I).Standford:IEEE Computer Society,2004.77-83.
    [14]Whyte D,Kranakis E,Oorschot PV.Dns-Based detection of scanning worms in an enterprise network.In:Harder E,ed.Proc.of the 12th Annual Network and Distributed System Security Symp.(NDSS).San Diego:Internet Society,2005.181-195.
    [15]Whyte D,Oorschot PV,Kranakis E.Arp-Based detection of scanning worms within an enterprise network.2005.http://www.scs.carleton.ca/~kranakis/Papers/TR-05-02.pdf
    [16]Antonatos S,Akritidis P,Markatos EP,Anagnostakis KG.Defending against Hitlist worms using network address space randomization.In:Keromytis AD,ed.Proc.of the 2005 ACM Workshop on Rapid Malcode.Fairfax:ACM Press,2005.30-40.
    [17]Malan DJ,Smith MD.Host-Based detection of worms through peer-to-peer cooperation.In:Keromytis AD,ed.Proc.of the 2005 ACM Workshop on Rapid Malcode.Fairfax:ACM Press,2005.72-80.
    [18]Weaver N,Paxson V,Staniford S,Cunningham R.A taxonomy of computer worms.In:Staniford S,ed.Proc.of the 2003 ACM Workshop on Rapid Malcode.Washington:ACM Press,2003.11-18.
    [19]Wen WP,Qing SH,Jiang JC,Wang YJ.Research and development of Internet worms.Journal of Software,2004,15(8):1208-1219 (in Chinese with English abstract).http://www.jos.org.cn/1000-9825/15/1208.htm
    [20]DARPA INTERNET PROGRAM.Transmission control protocol.1981.http://rfc.net/rfc793.ps
    [21]DARPA INTERNET PROGRAM.Internet control message protocol.1981.http://rfc.net/rfc792.ps
    [22]Spitzner L.Honeypots:Definitions and value of honeypots.2003.http://www.tracking-hackers.com/papers/honeypots.html
    [23]Mackie A,Roculan J,Russell R,Velzen MV.Nimda worm analysis.2001.http://www.dia.unisa.it/professori/ads/corso-security/ www/CORSO-0102/NIMDA/link_locali/010921-Analysis-Nimda-v2.pdf
    [3]国家计算机网络入侵防范中心(NCNIPC).国家计算机网络入侵防范中心网络安全分析报告.2004.http://www.cert.org.cn/ articles/statistic/common/2004060321713.shtml
    [19]文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究进展.软件学报,2004,15(8):1208-1219.http://www.jos.org.cn/1000-9825/15/ 1208.htm
    Related
    Comments
    Comments
    分享到微博
    Submit
Get Citation

张新宇,卿斯汉,李琦,李大治,何朝辉.一种基于本地网络的蠕虫协同检测方法.软件学报,2007,18(2):412-421

Copy
Share
Article Metrics
  • Abstract:4566
  • PDF: 6301
  • HTML: 0
  • Cited by: 0
History
  • Received:June 21,2005
  • Revised:January 19,2006
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2045222Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063