The EarlyBird System for Real-time Detection of Unknown Worms
作者: Cristian Estan , George Varghese , Stefan Savage , Sumeet Singh
DOI:
关键词:
摘要: Network worms are a major threat to the security of today’s Internet-connected hosts and networks. The combination unmitigated connectivity widespread software homogeneity allows exploit tremendous parallelism in propagation. Modern spread so quickly that no human-mediated reaction outbreak new worm can hope prevent epidemic. In this paper we propose an automated method for detecting based on traffic characteristics common most them: highly repetitive packet content, increasing population sources generating infections number destinations being targeted. Our generates content signatures without any human intervention. Preliminary results small network show promising results: have identified three confirmed with low percentage false positives. This gives us reason believe our could form core effective network-level detection countermeasure system capable substantially slowing down worms.
参考文章(14)
Vern Paxson, Stuart Staniford, Nicholas Weaver, Stefan Savage, Colleen Shannon, David Moore, The Spread of the Sapphire/Slammer Worm ,(2003)
Vern Paxson, Stuart Staniford, Nicholas Weaver, How to Own the Internet in Your Spare Time usenix security symposium. pp. 149- 167 ,(2002)
Geoffrey M. Voelker, Stefan Savage, David Moore, Inferring internet denial-of-service activity usenix security symposium. pp. 2- 2 ,(2001)
Udi Manber, Finding similar files in a large file system usenix winter technical conference. pp. 2- 2 ,(1994)
Cristian Estan, George Varghese, New directions in traffic measurement and accounting Proceedings of the First ACM SIGCOMM Workshop on Internet Measurement - IMW '01. ,vol. 32, pp. 323- 336 ,(2001) , 10.1145/505202.505212
Phillip B. Gibbons, Yossi Matias, New sampling-based summary statistics for improving approximate query answers Proceedings of the 1998 ACM SIGMOD international conference on Management of data - SIGMOD '98. ,vol. 27, pp. 331- 342 ,(1998) , 10.1145/276304.276334
Neil T. Spring, David Wetherall, A protocol-independent technique for eliminating redundant network traffic acm special interest group on data communication. ,vol. 30, pp. 87- 95 ,(2000) , 10.1145/347057.347408
Cliff Changchun Zou, Lixin Gao, Weibo Gong, Don Towsley, Monitoring and early warning for internet worms computer and communications security. pp. 190- 199 ,(2003) , 10.1145/948109.948136
Philippe Flajolet, G. Nigel Martin, Probabilistic counting algorithms for data base applications Journal of Computer and System Sciences. ,vol. 31, pp. 182- 209 ,(1985) , 10.1016/0022-0000(85)90041-8
Cristian Estan, George Varghese, Mike Fisk, Bitmap algorithms for counting active flows on high speed links internet measurement conference. pp. 153- 166 ,(2003) , 10.1145/948205.948225