A monitoring system for detecting repeated packets with applications to computer worms

Authors:
Paul C. van Oorschot;Jean-Marc Robert;Miguel Vargas Martin
Affiliations:
School of Computer Science, Carleton University, Canada;Research and Innovation Centre – Security Group, Alcatel, Canada;University of Ontario Institute of Technology, Ontario, Canada, Alcatel, Canada
Venue:
International Journal of Information Security
Year:
2006

Citing 0
Cited 6

A network mitigation system against distributed denial of service: a linux-based prototype

IMSA'07 IASTED European Conference on Proceedings of the IASTED European Conference: internet and multimedia systems and applications
A rough set approach for automatic key attributes identification of zero-day polymorphic worms

Expert Systems with Applications: An International Journal
On the design of an global intrusion tolerance network architecture against the internet catastrophes

Journal of Systems and Software
A network mitigation system against distributed denial of service: a Linux-based prototype

EurolMSA '07 Proceedings of the Third IASTED European Conference on Internet and Multimedia Systems and Applications
Toward sound-assisted intrusion detection systems

OTM'07 Proceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II
Intelligent network security assessment with modeling and analysis of attack patterns

Security and Communication Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present a monitoring system which detects repeated packets in network traffic, and has applications including detecting computer worms. It uses Bloom filters with counters. The system analyzes traffic in routers of a network. Our preliminary evaluation of the system involved traffic from our internal lab and a well known historical data set. After appropriate configuration, no false alarms are obtained under these data sets and we expect low false alarm rates are possible in many network environments. We also conduct simulations using real Internet Service Provider topologies with realistic link delays and simulated traffic. These simulations confirm that this approach can detect worms at early stages of propagation. We believe our approach, with minor adaptations, is of independent interest for use in a number of network applications which benefit from detecting repeated packets, beyond detecting worm propagation. These include detecting network anomalies such as dangerous traffic fluctuations, abusive use of certain services, and some distributed denial-of-service attacks.