Host Behaviour Based Early Detection of Worm Outbreaks in Internet Backbones

Authors:
Thomas Dubendorfer;Bernhard Plattner
Affiliations:
Swiss Federal Institute of Technology, Zurich;Computer Engineering and Networks Laboratory (TIK)
Venue:
WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
Year:
2005

Citing 0
Cited 8

A NetFlow based flow analysis and monitoring system in enterprise networks

Computer Networks: The International Journal of Computer and Telecommunications Networking
A Survey of the High-Speed Self-learning Intrusion Detection Research Area

AIMS '07 Proceedings of the 1st international conference on Autonomous Infrastructure, Management and Security: Inter-Domain Management
Anomaly Characterization in Flow-Based Traffic Time Series

IPOM '08 Proceedings of the 8th IEEE international workshop on IP Operations and Management
A Novel Worm Detection Model Based on Host Packet Behavior Ranking

OTM '08 Proceedings of the OTM 2008 Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE 2008. Part II on On the Move to Meaningful Internet Systems
Behavioural Characterization for Network Anomaly Detection

Transactions on Computational Science IV
Beyond Shannon: Characterizing Internet Traffic with Generalized Entropy Metrics

PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone

DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Review: A survey of network flow applications

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to individual hosts like ratio of outgoing to incoming traffic, responsiveness and number of connections. These properties are used to group hosts into distinct behaviour classes. We use flow-level (Cisco NetFlow) information exported by the border routers of a Swiss Internet backbone provider (AS559/SWITCH). By tracking the cardinality of each class over time and alarming on fast increases and other significant changes, we can early and reliably detect worm outbreaks. We successfully validated our method with archived flow-level traces of recent major Internet email based worms such as MyDoom.A and Sobig.F, and fast spreading network worms like Witty and Blaster. Our method is generic in the sense that it does not require any previous knowledge about the exploits and scanning method used by the worms. It can give a set of suspicious hosts in near real-time that have recently and drastically changed their network behaviour and hence are highly likely to be infected.