The Mathematics of Infectious Diseases
SIAM Review
Code red worm propagation modeling and analysis
Proceedings of the 9th ACM conference on Computer and communications security
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Worm propagation modeling and analysis under dynamic quarantine defense
Proceedings of the 2003 ACM workshop on Rapid malcode
IEEE Security and Privacy
Proceedings of the 2004 ACM workshop on Rapid malcode
Toward understanding distributed blackhole placement
Proceedings of the 2004 ACM workshop on Rapid malcode
Worm Detection, Early Warning and Response Based on Local Victim Information
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
A self-learning worm using importance scanning
Proceedings of the 2005 ACM workshop on Rapid malcode
Worm evolution tracking via timing analysis
Proceedings of the 2005 ACM workshop on Rapid malcode
Towards scalable and robust distributed intrusion alert fusion with good load balancing
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
On the impact of dynamic addressing on malware propagation
Proceedings of the 4th ACM workshop on Recurring malcode
A realistic simulation of internet-scale events
valuetools '06 Proceedings of the 1st international conference on Performance evaluation methodolgies and tools
Optimal worm-scanning method using vulnerable-host distributions
International Journal of Security and Networks
Correcting congestion-based error in network telescope's observations of worm dynamics
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Peer-to-peer system-based active worm attacks: Modeling, analysis and defense
Computer Communications
Deriving a closed-form expression for worm-scanning strategies
International Journal of Security and Networks
COD: online temporal clustering for outbreak detection
AAAI'07 Proceedings of the 22nd national conference on Artificial intelligence - Volume 1
An information-theoretic view of network-aware malware attacks
IEEE Transactions on Information Forensics and Security
Vortex: enabling cooperative selective wormholing for network security systems
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Investigating the impact of real-world factors on internet worm propagation
ICISS'07 Proceedings of the 3rd international conference on Information systems security
Internet background radiation revisited
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Characterizing and defending against divide-conquer-scanning worms
Computer Networks: The International Journal of Computer and Telecommunications Networking
Enhancing Intrusion Detection System with proximity information
International Journal of Security and Networks
Robust reactions to potential day-zero worms through cooperation and validation
ISC'06 Proceedings of the 9th international conference on Information Security
The nepenthes platform: an efficient approach to collect malware
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Fast and evasive attacks: highlighting the challenges ahead
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Hi-index | 0.00 |
Distributed monitoring of unused portions of the IP address space holds the promise of providing early and accurate detection of high-profile security events, especially Internet worms. While this observation has been accepted for some time now, a systematic analysis of the requirements for building an effective distributed monitoring infrastructure is still missing. In this paper, we attempt to quantify the benefits of distributed monitoring and evaluate the practicality of this approach. To do so we developed a new worm propagation model that relaxes earlier assumptions regarding the uniformity of the underlying vulnerable population. This model allows us to evaluate how the size of the monitored address space, as well the number and locations of monitors, impact worm detection time. We empirically evaluate the effect of these parameters using traffic traces from over 1.5 billion suspicious connection attempts observed by more than 1600 intrusion detection systems dispersed across the Internet. Our results show that distributed monitors with half the allocated space of a centralized monitor can detect non-uniform scanning worms in half the time. Moreover, a distributed monitor of the same size as a centralized monitor can detect the worm four times faster. Furthermore, we show that even partial knowledge of the vulnerable population density can be used to improve monitor placement. Exploiting information about the location of the vulnerable population leads, in some cases, to detection time that is seven times as fast compared to random monitor deployment.