Online Accumulation: Reconstruction of Worm Propagation Path

Authors:
Yang Xiang;Qiang Li;Dong Guo
Affiliations:
College of Computer Science and Technology, JiLin University, JiLin, China 130012;College of Computer Science and Technology, JiLin University, JiLin, China 130012;College of Computer Science and Technology, JiLin University, JiLin, China 130012
Venue:
NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing
Year:
2008

Citing 13
Cited 1

Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Inside the Slammer Worm

IEEE Security and Privacy
Shield: vulnerability-driven network filters for preventing known vulnerability exploits

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Worm Origin Identification Using Random Moonwalks

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Active Timing-Based Correlation of Perturbed Traffic Flows with Chaff Packets

ICDCSW '05 Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW'05) - Volume 02
Vigilante: end-to-end containment of internet worms

Proceedings of the twentieth ACM symposium on Operating systems principles
Worm evolution tracking via timing analysis

Proceedings of the 2005 ACM workshop on Rapid malcode
Exploiting underlying structure for detailed reconstruction of an internet-scale event

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Enhancing SWORD to Detect Zero-Day-Worm-Infected Hosts

Simulation
On the detection and origin identification of mobile worms

Proceedings of the 2007 ACM workshop on Recurring malcode
Forensic Analysis for Epidemic Attacks in Federated Networks

ICNP '06 Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols
Hit-list worm detection and bot identification in large networks using protocol graphs

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection

A scalable network forensics mechanism for stealthy self-propagating attacks

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Knowledge of the worm origin is necessary to forensic analysis, and knowledge of the initial causal flows supports diagnosis of how network defenses were breached. Fast and accurate online tracing network worm during its propagation, help to detect worm origin and the earliest infected nodes, and is essential for large-scale worm containment. This paper introduces the Accumulation Algorithm which can efficiently tracing worm origin and the initial propagation paths, and presents an improved online Accumulation Algorithm using sliding detection windows. We also analyzes and verifies their detection accuracy and containment efficacy through simulation experiments in large scale network. Results indicate that the online Accumulation Algorithm can accurately tracing worms and efficiently containing their propagation in an approximately real-time manner.