Worm Origin Identification Using Random Moonwalks
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Mobile Contagion: Simulation of Infection and Defense
Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation
Spatio-temporal modeling of traffic workload in a campus WLAN
WICON '06 Proceedings of the 2nd annual international workshop on Wireless internet
Exploiting underlying structure for detailed reconstruction of an internet-scale event
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Mapping internet sensors with probe response attacks
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
SANE: a protection architecture for enterprise networks
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Ethane: taking control of the enterprise
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Forensic Analysis for Epidemic Attacks in Federated Networks
ICNP '06 Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols
Proximity breeds danger: emerging threats in metro-area wireless networks
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Online Accumulation: Reconstruction of Worm Propagation Path
NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing
VirusMeter: Preventing Your Cellphone from Spies
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
| Hi-index | 0.00 |
Mobility can be exploited to spread malware among wireless nodes moving across network domains. Because such mobile worms spread across domains by exploiting the physical movement of mobile nodes, they cannot be contained by existing defenses. In this paper we address this new challenge using techniques for detecting the existence of stealthy mobile worms in the early stages of their infection and identifying the origins of such infections. The proposed mechanisms are based on random moonwalks which were originally used in post mortem analysis of Internet worms. However as we demonstrate, the original technique fails against mobile worms which are inherently stealthier than existing malware. In this paper, we extend the moonwalk algorithm by considering new heuristics and show that the proposed mechanism can reliably detect mobile worms during the early stages of infection. Our simulation results, based on network traces collected from a university-wide wireless network, show that a mobile infection can be reliably detected before it infects 10% of the vulnerable population. Furthermore, the proposed mechanism identifies the origin of the infection, by limiting the search for the initial victims to within 2% of the mobile node population