CBSTM: Cloud-based Behavior Similarity Transmission Method to Detect Industrial Worms

Authors:
Huayang Cao;Peidong Zhu;Jinjing Zhao
Affiliations:
Computer School National University of Defense Technology Changsha, China;Computer School National University of Defense Technology Changsha, China;National Key Laboratory of Science and Technology on Information System Security Beijing, China
Venue:
Proceedings of the Second International Conference on Innovative Computing and Cloud Computing
Year:
2013

Citing 8
Cited 0

A behavioral approach to worm detection

Proceedings of the 2004 ACM workshop on Rapid malcode
Polygraph: Automatically Generating Signatures for Polymorphic Worms

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
The monitoring and early detection of internet worms

IEEE/ACM Transactions on Networking (TON)
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms

Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems
Detection of Silent Worms using Anomaly Connection Tree

AINA '07 Proceedings of the 21st International Conference on Advanced Networking and Applications
An Automated Signature-Based Approach against Polymorphic Internet Worms

IEEE Transactions on Parallel and Distributed Systems
vEye: behavioral footprinting for self-propagating worm detection and profiling

Knowledge and Information Systems
Polymorphic worm detection using structural information of executables

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Quantified Score

Hi-index	0.00

Visualization

Abstract

Sophisticated industrial worms, such as Stuxnet, Flame, Duqu, have brought much threat in industrial networks. Most existing detection methods use content pattern or aggressive activities as a clue to the existence of worms, which are ineffective against worms that don't have their pattern been known and don't behave aggressively. To detect such worms, we proposed Cloud-based Behavior Similarity Transmission Method (CBSTM). CBSTM is a cloud-based method that utilizes the fundamental feature that a worm propagates from host to host. It monitors behaviors on each host in industrial networks. When same behaviors propagate among hosts and meet given criteria, corresponding hosts are believed to be infected by worms. When the worm is detected, the found behavior sequence is used as this worm's signature to realize instant worm detection afterwards. Since CBSTM doesn't need specific characteristics of worms, it can be generally applied to detecting any worms in industrial networks. The evaluation with detecting Stuxnet confirms the effectiveness of CBSTM.