The Quest for Multi-headed Worms

Authors:
Van-Hau Pham;Marc Dacier;Guillaume Urvoy-Keller;Taoufik En-Najjary
Affiliations:
Institut Eurecom, Sophia---Antipolis, France;Institut Eurecom, Sophia---Antipolis, France;Institut Eurecom, Sophia---Antipolis, France;Institut Eurecom, Sophia---Antipolis, France
Venue:
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2008

Citing 7
Cited 3

The internet worm program: an analysis

ACM SIGCOMM Computer Communication Review
The “worm” programs—early experience with a distributed computation

Communications of the ACM
Algorithm 457: finding all cliques of an undirected graph

Communications of the ACM
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
A symbolic representation of time series, with implications for streaming algorithms

DMKD '03 Proceedings of the 8th ACM SIGMOD workshop on Research issues in data mining and knowledge discovery
A taxonomy of computer worms

Proceedings of the 2003 ACM workshop on Rapid malcode
Exploiting Software: How to Break Code

Exploiting Software: How to Break Code

The WOMBAT Attack Attribution Method: Some Results

ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
Honeypot trace forensics: The observation viewpoint matters

Future Generation Computer Systems
HARMUR: storing and analyzing historic data on malicious domains

Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

In [6], Pouget et al. have conjectured the existence of so-called multi-headed worms and found a couple of them on attack traces collected on a single honeypot. These worms take advantage of several distinct attack techniques to propagate but they use only one of them against a given target. From a victim's viewpoint, they are therefore indistinguishable from the other classical worms that always propagate using the same attack vector or same sequence of attack vectors. This paper aims at confirming the existence of these worms by studying a very large dataset. The validation process led to three important contributions. First, we establish the existence and assess the importance of three distinct classes of attacks seen in the wild. Second, we propose a new method to correlate attack traces time series and apply it to search for multi-headed worms. Third, we offer and discuss results of the analysis of 15 months of data gathered over 28 different platforms located all over the world.