Detecting intra-enterprise scanning worms based on address resolution
作者: D. Whyte , P.C. van Oorschot , E. Kranakis
DOI: 10.1109/CSAC.2005.20
关键词: The Internet 、 Computer science 、 Software implementation 、 Computer security 、 Preliminary analysis 、 Real-time computing 、 Address Resolution Protocol 、 Address resolution
摘要: Signature-based schemes for detecting Internet worms often fail on zero-day worms, and their ability to rapidly react new threats is typically limited by the requirement of some form human involvement formulate updated attack signatures. We propose an anomaly-based detection technique detailing a method detect propagation scanning within individual network cells, thus protecting internal networks from infection clients. Our software implementation indicates that this both accurate rapid enough enable automatic containment suppression worm cell. approach relies aggregate anomaly score, derived correlation address resolution protocol (ARP) activity attached devices. preliminary analysis prototype indicate can be used very small number scans
acsac.org 参考文章(17)
Silky Manwani, Chris Pollett, ARP Cache Poisoning Prevention and Detection ,(2003)
Paul C. van Oorschot, Evangelos Kranakis, David Whyte, DNS-based Detection of Scanning Worms in an Enterprise Network. network and distributed system security symposium. ,(2005)
David Moore, Colleen Shannon, Geoffrey M Voelker, Stefan Savage, Network Telescopes: Technical Report ,(2004)
Gregory R. Ganger, Stanley M. Bielski, Gregg Economou, Self-Securing Network Interfaces: What, Why and How? ,(2002)
Stuart E. Schechter, Jaeyeon Jung, Arthur W. Berger, Fast Detection of Scanning Worm Infections recent advances in intrusion detection. pp. 59- 81 ,(2004) , 10.1007/978-3-540-30143-1_4
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, Automated worm fingerprinting operating systems design and implementation. pp. 4- 4 ,(2004)
Martin Roesch, Snort - Lightweight Intrusion Detection for Networks usenix large installation systems administration conference. pp. 229- 238 ,(1999)
Jaeyeon Jung, V. Paxson, A.W. Berger, H. Balakrishnan, Fast portscan detection using sequential hypothesis testing ieee symposium on security and privacy. pp. 211- 225 ,(2004) , 10.1109/SECPRI.2004.1301325
Vern Paxson, Stuart Staniford, Nicholas Weaver, Very fast containment of scanning worms usenix security symposium. pp. 3- 3 ,(2004)
Cliff Changchun Zou, Lixin Gao, Weibo Gong, Don Towsley, Monitoring and early warning for internet worms computer and communications security. pp. 190- 199 ,(2003) , 10.1145/948109.948136