WormShield: Fast Worm Signature Generation with Distributed Fingerprint Aggregation
作者: Min Cai , Kai Hwang , Jianping Pan , Christos Papadopoulos
关键词:
摘要: Fast and accurate generation of worm signatures is essential to contain zero-day worms at the Internet scale. Recent work has shown that signature can be automated by analyzing repetition substrings (that is, fingerprints) their address dispersion. However, early stage a outbreak, individual edge networks are often short enough exploits for generating signatures. This paper presents both theoretical experimental results on collaborative system (WormShield) employs distributed fingerprint filtering aggregation over multiple networks. By real-life traces, we discovered fingerprints in background traffic exhibit Zipf-like distribution. Due this property, reduces amount significantly. WormShield monitors utilize new tree (DAT) compute global statistics scalable load-balanced fashion. We simulated spectrum scanning including CodeRed Slammer using realistic configurations about 100,000 On average, 256 generate CodeRedl-v2 135 times faster than same number isolated monitors. In addition speed gains, observed less 100 false out 18.7-Gbyte yielding very low false-positive rate. Each monitor only generates 0.6 kilobit per second traffic, which 0.003 percent 18 megabits link sniffed. These demonstrate offers distinct advantages accuracy, scalability large-scale containment.
computer.org
colostate.edu 
acm.org 参考文章(42)
Brad Karp, Hyang-Ah Kim, Autograph: toward automated, distributed worm signature detection usenix security symposium. pp. 19- 19 ,(2004)
Emil Sit, Robert Morris, None, Security Considerations for Peer-to-Peer Distributed Hash Tables international workshop on peer to peer systems. pp. 261- 269 ,(2002) , 10.1007/3-540-45748-8_25
Vern Paxson, Bro: a system for detecting network intruders in real-time Computer Networks. ,vol. 31, pp. 2435- 2463 ,(1999) , 10.1016/S1389-1286(99)00112-7
L. Spitzner, Honeypots: Tracking Hackers ,(2002)
Lakshminarayanan Subramanian, Ion Stoica, Jayanthkumar Kannan, Randy H. Katz, Analyzing cooperative containment of fast scanning worms conference on steps to reducing unwanted traffic on internet. pp. 3- 3 ,(2005)
Ke Wang, Gabriela Cretu, Salvatore J. Stolfo, Anomalous Payload-Based Worm Detection and Signature Generation Lecture Notes in Computer Science. pp. 227- 246 ,(2006) , 10.1007/11663812_12
Amos Fiat, Jared Saia, Maxwell Young, Making Chord Robust to Byzantine Attacks Algorithms – ESA 2005. pp. 803- 814 ,(2005) , 10.1007/11561071_71
Angelos D. Keromytis, Bill Cheswick, Steven Michael Bellovin, Worm propagation strategies in an IPv6 Internet Log in. ,vol. 31, pp. 70- 76 ,(2006) , 10.7916/D8NK3M9D
Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, Giovanni Vigna, Polymorphic Worm Detection Using Structural Information of Executables Lecture Notes in Computer Science. pp. 207- 226 ,(2006) , 10.1007/11663812_11
Cristian Estan, George Varghese, Stefan Savage, Sumeet Singh, Automated worm fingerprinting operating systems design and implementation. pp. 4- 4 ,(2004)