A distributed host-based worm detection system

Authors:
Senthilkumar G. Cheetancheri;John Mark Agosta;Denver H. Dash;Karl N. Levitt;Jeff Rowe;Eve M. Schooler
Affiliations:
UC Davis, Davis, CA;Intel Research, Santa Clara, CA;Intel Research, Santa Clara, CA;UC Davis, Davis, CA;UC Davis, Davis, CA;Intel Research, Santa Clara, CA
Venue:
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Year:
2006

Citing 18
Cited 10

Reaching Agreement in the Presence of Faults

Journal of the ACM (JACM)
The Byzantine Generals Problem

ACM Transactions on Programming Languages and Systems (TOPLAS)
Some constraints and tradeoffs in the design of network communications

SOSP '75 Proceedings of the fifth ACM symposium on Operating systems principles
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
Simulating realistic network worm traffic for worm warning system design and testing

Proceedings of the 2003 ACM workshop on Rapid malcode
Epidemic profiles and defense of scale-free networks

Proceedings of the 2003 ACM workshop on Rapid malcode
Cyber defense technology networking and evaluation

Communications of the ACM - Homeland security
An integrated experimental environment for distributed systems and networks

OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Microscopic Simulation of a Group Defense Strategy

Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation
Collaborative Internet Worm Containment

IEEE Security and Privacy
Vigilante: end-to-end containment of internet worms

Proceedings of the twentieth ACM symposium on Operating systems principles
Host-based detection of worms through peer-to-peer cooperation

Proceedings of the 2005 ACM workshop on Rapid malcode
Countering Network Worms Through Automatic Patch Generation

IEEE Security and Privacy
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
When gossip is good: distributed probabilistic inference for detection of slow network intrusions

AAAI'06 proceedings of the 21st national conference on Artificial intelligence - Volume 2
Robust reactions to potential day-zero worms through cooperation and validation

ISC'06 Proceedings of the 9th international conference on Information Security
Anomalous payload-based worm detection and signature generation

RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection

Dependency-based distributed intrusion detection

DETER Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007
Security against probe-response attacks in collaborative intrusion detection

Proceedings of the 2007 workshop on Large scale attack defense
Secure Sharing of an ICT Infrastructure through Vinci

AIMS '08 Proceedings of the 2nd international conference on Autonomous Infrastructure, Management and Security: Resilient Networks and Services
Optimal Cost, Collaborative, and Distributed Response to Zero-Day Worms - A Control Theoretic Approach

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Collaborative defence as a pervasive service: architectural insights and validation methodologies of a trial deployment

International Journal of Sensor Networks
Towards automated detection of peer-to-peer botnets: on the limits of local approaches

LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Uncovering Global Icebergs in Distributed Streams: Results and Implications

Journal of Network and Systems Management
Scalable Stealth Mode P2P Overlays of Very Small Constant Degree

ACM Transactions on Autonomous and Adaptive Systems (TAAS)
Asynchronous peer-to-peer data mining with stochastic gradient descent

Euro-Par'11 Proceedings of the 17th international conference on Parallel processing - Volume Part I
Argumentation logic to assist in security administration

Proceedings of the 2012 workshop on New security paradigms

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present a method for detecting large-scale worm attacks using only end-host detectors. These detectors propagate and aggregate alerts to cooperating partners to detect large-scale distributed attacks in progress. The properties of the host-based detectors may in fact be relatively poor in isolation but when taken collectively result in a high-quality distributed worm detector. We implement a cooperative alert sharing protocol coupled with distributed sequential hypothesis testing to generate global alarms about distributed attacks. We evaluate the system's response in the presence of a variety of false alarm conditions and in the presence of an Internet worm attack. Our evaluation is conducted with agents on the Emulab and DETER emulated testbeds using real operating systems and computing platforms.