Hit-list worm detection and bot identification in large networks using protocol graphs

  • Authors:
  • M. Patrick Collins;Michael K. Reiter

  • Affiliations:
  • CERT, Network Situational Awareness, Software Engineering Institute, Carnegie Mellon University;Department of Computer Science, University of North Carolina at Chapel Hill

  • Venue:
  • RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

We present a novel method for detecting hit-list worms using protocol graphs. In a protocol graph, a vertex represents a single IP address, and an edge represents communications between those addresses using a specific protocol (e.g., HTTP). We show that the protocol graphs of four diverse and representative protocols (HTTP, FTP, SMTP, and Oracle), as constructed from monitoring for fixed durations on a large intercontinental network, exhibit stable graph sizes and largest connected component sizes. Moreover, we demonstrate that worm propagations, even of a sophisticated hit-list variety in which the attacker has advance knowledge of his targets and always connects successfully, perturb these properties. We demonstrate that these properties can be monitored very efficiently even in very large networks, giving rise to a viable and novel approach for worm detection. We also demonstrate extensions by which the attacking hosts (bots) can be identified with high accuracy.