Toward a framework for forensic analysis of scanning worms

Authors:
Ihab Hamadeh;George Kesidis
Affiliations:
Department of Computer Science and Engineering, Department of Electrical Engineering, Pennsylvania State University, University Park, PA;Department of Computer Science and Engineering, Department of Electrical Engineering, Pennsylvania State University, University Park, PA
Venue:
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Year:
2006

Citing 7
Cited 3

Practical network support for IP traceback

Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Hash-based IP traceback

Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Worm propagation modeling and analysis under dynamic quarantine defense

Proceedings of the 2003 ACM workshop on Rapid malcode
Preliminary results using scale-down to explore worm dynamics

Proceedings of the 2004 ACM workshop on Rapid malcode
Worm Origin Identification Using Random Moonwalks

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Exploiting underlying structure for detailed reconstruction of an internet-scale event

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement

A taxonomy of internet traceback

International Journal of Security and Networks
Correcting congestion-based error in network telescope's observations of worm dynamics

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
A scalable network forensics mechanism for stealthy self-propagating attacks

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.