Algorithm of Online Accumulation for Reconstructing the Path of Worm Propagation
Affiliation:

  • Article
  • | |
  • Metrics
  • |
  • Reference [17]
  • |
  • Related [20]
  • | | |
  • Comments
    Abstract:

    Tracing online propagation paths when worm breaks out on a large scale can improve the network’s anti-attackability. The existing tracing approaches to obtain worm propagation path are all based on off-line analysis and usually have a lower accuracy. This paper proposes an online Accumulation Algorithm with sliding detection windows, which can fleetly and efficiently trace the origin and initial causal edges of the worm. The algorithm solves the conflicts in choosing causal edges and tackles the problem of merging propagation paths in the consecutive reconstruction phase. The algorithm’s accuracy and performance have been analyzed. Experimental results reveal that the online Accumulation Algorithm can dig out causal edge even at the initial stage, and the Accumulation Algorithm can achieve detection accuracy higher than 90% while its running time is only 1% of related works.

    Reference
    [1] Wen WP, Qing SH, Jiang JC, Wang YJ. Research and development of Internet worms. Journal of Software, 2004,15(8):1208-1219 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/15/1208.htm
    [2] Chen ZS, Ji CY. An information-theoretical view of network-aware malware attacks. IEEE Trans. on Information Forensics and Security, 2009,4(3):530-541.
    [3] Kienzle DM, Elder MC. Recent worms: A survey and trends. In: Staniford S, Savage S, eds. Proc. of the 2003 ACM Workshop on Rapid Malcode. New York: ACM Press, 2003. 1-10.
    [4] Rajab MA, Monrose F, Terzis A. Worm evolution tracking via timing analysis. In: Atluri V, Keromytis AD, eds. Proc. of the 2005 ACM Workshop on Rapid Malcode. New York: ACM Press, 2005. 52-59.
    [5] Xie YL, Sckar V, Maltz DA, Reiter MK, Zhang H. Worm origin identification using random moonwalks. In: Martin DC, ed. Proc. of the IEEE Symp. on Security and Privacy. Los Alamitos: IEEE Computer Society, 2005. 242-256.
    [6] Kumar A, Paxson V, Weaver N. Exploiting underlying structure for detailed reconstruction of an Internet scale event. In: Padmanabhan VN, Veitch D, Greenberg A, eds. Proc. of the 5th Conf. on Internet Measurement. Berkeley: USENIX Association, 2005. 351-364.
    [7] Savage S, Wetherall D, Karlin A, Anderson T. Practical network support for IP traceback. ACM/IEEE Trans. on Networking, 2001, 9(3):226-237. [doi: 10.1109/90.929847]
    [8] Zhang Y, Paxson V. Detecting stepping stones. In: Bellovin S, Rose G, eds. Proc. of the 9th USENIX Security Symp. Denver: USENIX Association, 2000. 171-184.
    [9] Peng P, Ning P, Reeves DS, Wang XY. Active timing-based correlation of perturbed traffic flows with chaff packets. In: Martin DC, ed. Proc. of the 25th Int’l Conf. on Distributed Computing Systems Workshops. Los Alamitos: IEEE Computer Society, 2005. 107-113.
    [10] Xie YL, Sckar V, Reiter MK, Zhang H. Forensic analysis for epidemic attacks in federated networks. In: Martin DC, ed. Proc. of the 14th IEEE Int’l Conf. on Network Protocols. Los Alamitos: IEEE Computer Society, 2006. 43-53.
    [11] Sarat S, Terzis A. On the detection and origin identification of mobile worms. In: Kruegel C, ed. Proc. of the 2007 ACM Workshop on Recurring Malcode. New York: ACM Press, 2007. 54-60.
    [12] Collins MP, Reiter MK. Hit-List worm detection and bot identification in large networks using protocol graphs. In: Krugel C, Lippmann R, Clark A, eds. Recent Advances in Intrusion Detection, 10th Int’l Symp., RAID 2007. LNCS 4637, Berlin, Heidelberg: Springer-Verlag, 2007. 276-295.
    [13] Stafford S, Li J, Ehrenkranz T. Enhancing SWORD to detect 0-day-worm-infected hosts. Simulation: Trans. of the Society for Modeling and Simulation Int’l, 2007,83(2):199-212. [doi: 10.1177/0037549707080753]
    [14] WAND Network Research Group. WAND WITS: NZIX-II trace data. 2000. http://wand.cs.waikato.ac.nz/wits/nzix/2/nzix-ii.php
    [15] Jiang X, Xu D, Wang HJ, Spafford EH. Virtual playgrounds for worm behavior investigation. In: Valdes A, Zamboni D, eds. Recent Advances in Intrusion Detection, the 8th Int’l Symp., RAID 2005. LNCS 3858, Berlin, Heidelberg: Springer-Verlag, 2005. 1-21.
    [16] Linux Lion Worms. 2001. http://www.symantec.com/security_response/writeup.jsp?docid=2001-032311-2042-99&tabid=1
    附中文参考文献: [1] 文伟平,卿斯汉,蒋建春,王业君.网络蠕虫研究与进展.软件学报,2004,15(8):1208-1219. http://www.jos.org.cn/1000-9825/15/ 1208.htm
    Cited by
    Comments
    Comments
    分享到微博
    Submit
Get Citation

李强,向阳.推测网络蠕虫传播路径的在线聚积算法.软件学报,2010,21(4):802-815

Copy
Share
Article Metrics
  • Abstract:5041
  • PDF: 6481
  • HTML: 0
  • Cited by: 0
History
  • Received:February 29,2008
  • Revised:October 27,2008
You are the first2032455Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063