Behavioral Footprinting: A New Dimension to Characterize Self-Propagating Worms
作者: Xuxian Jiang , Dongyan Xu
DOI:
关键词: Multiple time dimensions 、 Dimension (vector space) 、 Computer science 、 Footprint 、 Identification (information) 、 Bioinformatics 、 Footprinting 、 Artificial intelligence 、 Replication (computing) 、 Session (computer science) 、 Robustness (evolution) 、 Machine learning
摘要: With increasing speed, virulence, and sophistication, self-propagating worms continue to pose a serious threat the safety of Internet. To effectively identify defend against worms, critical task is characterize worm along multiple dimensions. Content-based fingerprinting well-established dimension for characterization by deriving most representative content sequence as worm’s signature. However, this alone does not capture all aspects may therefore lead incomplete or inaccurate characterization. expand space characterization, paper proposes justifies new dimension, behavioral footprinting. Orthogonal complementary content-based fingerprinting, footprinting characterizes unique behavior during each infection session, which covers probing, exploitation, replication phases session. By modeling step phenotype entire session sequential footprint, we show that captures worm-specific inherently different from normal access vulnerable service. We present advanced analysis techniques extract footprint its traces. Our evaluation with number realworld clearly demonstrates feasibility effectiveness in successfully extracting worm-characterizing footprints experimented worms. Furthermore, comparing our experiments demonstrate uniqueness robustness recognition identification.
参考文章(33)
Jon Crowcroft, Antony Rowstron, Miguel Castro, Manuel Costa, Can we contain Internet worms Association for Computing Machinery, Inc.. pp. 7- ,(2004)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Vern Paxson, Stuart Staniford, Nicholas Weaver, Stefan Savage, Colleen Shannon, David Moore, The Spread of the Sapphire/Slammer Worm ,(2003)
Xuxian Jiang, Dongyan Xu, Collapsar: a VM-based architecture for network attack detention center usenix security symposium. pp. 2- 2 ,(2004)
Svetlana Radosavac, John S Baras, Detection and Classification of Network Intrusions Using Hidden Markov Models ,(2003)
Oleg Kolesnikov, Wenke Lee, Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic Georgia Institute of Technology. ,(2005)
Niels Provos, A virtual honeypot framework usenix security symposium. pp. 1- 1 ,(2004)
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
Xuxian Jiang, Dongyan Xu, Helen J. Wang, Eugene H. Spafford, Virtual Playgrounds for Worm Behavior Investigation Lecture Notes in Computer Science. pp. 1- 21 ,(2006) , 10.1007/11663812_1
Jeff Dike, User Mode Linux ,(2006)