A NetFlow based flow analysis and monitoring system in enterprise networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
A Survey of the High-Speed Self-learning Intrusion Detection Research Area
AIMS '07 Proceedings of the 1st international conference on Autonomous Infrastructure, Management and Security: Inter-Domain Management
Anomaly Characterization in Flow-Based Traffic Time Series
IPOM '08 Proceedings of the 8th IEEE international workshop on IP Operations and Management
A Novel Worm Detection Model Based on Host Packet Behavior Ranking
OTM '08 Proceedings of the OTM 2008 Confederated International Conferences, CoopIS, DOA, GADA, IS, and ODBASE 2008. Part II on On the Move to Meaningful Internet Systems
Behavioural Characterization for Network Anomaly Detection
Transactions on Computational Science IV
Beyond Shannon: Characterizing Internet Traffic with Generalized Entropy Metrics
PAM '09 Proceedings of the 10th International Conference on Passive and Active Network Measurement
Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Review: A survey of network flow applications
Journal of Network and Computer Applications
Hi-index | 0.00 |
We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to individual hosts like ratio of outgoing to incoming traffic, responsiveness and number of connections. These properties are used to group hosts into distinct behaviour classes. We use flow-level (Cisco NetFlow) information exported by the border routers of a Swiss Internet backbone provider (AS559/SWITCH). By tracking the cardinality of each class over time and alarming on fast increases and other significant changes, we can early and reliably detect worm outbreaks. We successfully validated our method with archived flow-level traces of recent major Internet email based worms such as MyDoom.A and Sobig.F, and fast spreading network worms like Witty and Blaster. Our method is generic in the sense that it does not require any previous knowledge about the exploits and scanning method used by the worms. It can give a set of suspicious hosts in near real-time that have recently and drastically changed their network behaviour and hence are highly likely to be infected.