Correcting congestion-based error in network telescope's observations of worm dynamics

Authors:
Songjie Wei;Jelena Mirkovic
Affiliations:
University of Delaware, Newark, DE, USA;University of Southern California, Marina Del Rey, CA, USA
Venue:
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Year:
2008

Citing 11
Cited 0

A technique for counting natted hosts

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Inside the Slammer Worm

IEEE Security and Privacy
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
The Spread of the Witty Worm

IEEE Security and Privacy
Preliminary results using scale-down to explore worm dynamics

Proceedings of the 2004 ACM workshop on Rapid malcode
On the impact of dynamic addressing on malware propagation

Proceedings of the 4th ACM workshop on Recurring malcode
Exploiting underlying structure for detailed reconstruction of an internet-scale event

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
On the effectiveness of distributed worm monitoring

SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Toward a framework for forensic analysis of scanning worms

ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network telescopes have been invaluable for collecting information about dynamics of large-scale worm events. Yet, a telescope's observation may be incomplete due to scan congestion drops, hardware limitations, filtering and presence of NATs, a worm's non-uniform scanning strategy or its short life. We investigate inaccuracies in telescope observations that arise from worm-induced congestion drops of worm scans and show that they may lead to significant underestimates of the number of infectees and their scanning rate. We propose a method to infer worm-induced congestion drops from telescope's observations and use them to accurately estimate global worm dynamics. We apply our methods to CAIDA telescope's observations of Witty worm's spread, and release corrected statistics of worm dynamics for public use.