Optimum Identification of Worm-Infected Hosts
IPOM '08 Proceedings of the 8th IEEE international workshop on IP Operations and Management
| Hi-index | 0.00 |
In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.