A self-learning worm using importance scanning
Proceedings of the 2005 ACM workshop on Rapid malcode
Worm evolution tracking via timing analysis
Proceedings of the 2005 ACM workshop on Rapid malcode
SybilGuard: defending against sybil attacks via social networks
Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Semi-automated discovery of application session structure
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Signature metrics for accurate and automated worm detection
Proceedings of the 4th ACM workshop on Recurring malcode
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
A new worm exploiting IPv4-IPv6 dual-stack networks
Proceedings of the 2007 ACM workshop on Recurring malcode
On the detection and origin identification of mobile worms
Proceedings of the 2007 ACM workshop on Recurring malcode
Origins: an approach to trace fast spreading worms to their roots
International Journal of Security and Networks
On web browsing privacy in anonymized NetFlows
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
CSAMP: a system for network-wide flow monitoring
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Online Tracing Scanning Worm with Sliding Window
Information Security and Cryptology
Online Accumulation: Reconstruction of Worm Propagation Path
NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing
Self-adaptive worms and countermeasures
SSS'06 Proceedings of the 8th international conference on Stabilization, safety, and security of distributed systems
Coordinated sampling sans origin-destination identifiers: algorithms and analysis
COMSNETS'10 Proceedings of the 2nd international conference on COMmunication systems and NETworks
Revisiting the case for a minimalist approach for network flow monitoring
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Summary-invisible networking: techniques and defenses
ISC'10 Proceedings of the 13th international conference on Information security
Characterizing internet worm infection structure
LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Toward a framework for forensic analysis of scanning worms
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Janus: a two-sided analytical model for multi-stage coordinated attacks
ICISC'06 Proceedings of the 9th international conference on Information Security and Cryptology
Populated IP addresses: classification and applications
Proceedings of the 2012 ACM conference on Computer and communications security
Understanding and overcoming cyber security anti-patterns
Computer Networks: The International Journal of Computer and Telecommunications Networking
A scalable network forensics mechanism for stealthy self-propagating attacks
Computer Communications
| Hi-index | 0.00 |
We propose a novel technique that can determine both the host responsible for originating a propagating worm attack and the set of attack flows that make up the initial stages of the attack tree via which the worm infected successive generations of victims. We argue that knowledge of both is important for combating worms: knowledge of the origin supports law enforcement, and knowledge of the causal flows that advance the attack supports diagnosis of how network defenses were breached. Our technique exploits the "wide tree" shape of a worm propagation emanating from the source by performing random "moonwalks" backward in time along paths of flows. Correlating the repeated walks reveals the initial causal flows, thereby aiding in identifying the source. Using analysis, simulation, and experiments with real world traces, we show how the technique works against both todayýs fast propagating worms and stealthy worms that attempt to hide their attack flows among background traffic.