A linear-time probabilistic counting algorithm for database applications
ACM Transactions on Database Systems (TODS)
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Chord: A scalable peer-to-peer lookup service for internet applications
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
Honeypots: Tracking Hackers
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Security Considerations for Peer-to-Peer Distributed Hash Tables
IPTPS '01 Revised Papers from the First International Workshop on Peer-to-Peer Systems
New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice
ACM Transactions on Computer Systems (TOCS)
Winnowing: local algorithms for document fingerprinting
Proceedings of the 2003 ACM SIGMOD international conference on Management of data
IEEE Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Proceedings of the 2003 ACM workshop on Rapid malcode
Simulating realistic network worm traffic for worm warning system design and testing
Proceedings of the 2003 ACM workshop on Rapid malcode
Proceedings of the 2003 ACM workshop on Rapid malcode
Data streaming algorithms for efficient and accurate estimation of flow size distribution
Proceedings of the joint international conference on Measurement and modeling of computer systems
Shield: vulnerability-driven network filters for preventing known vulnerability exploits
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Polygraph: Automatically Generating Signatures for Polymorphic Worms
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Secure routing for structured peer-to-peer overlay networks
OSDI '02 Proceedings of the 5th symposium on Operating systems design and implementationCopyright restrictions prevent ACM from being able to make the PDFs for this conference available for downloading
Collaborative Internet Worm Containment
IEEE Security and Privacy
The Blaster Worm: Then and Now
IEEE Security and Privacy
Fast and accurate traffic matrix measurement using adaptive cardinality counting
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Vigilante: end-to-end containment of internet worms
Proceedings of the twentieth ACM symposium on Operating systems principles
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
Hamsa: Fast Signature Generation for Zero-day PolymorphicWorms with Provable Attack Resilience
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Analyzing cooperative containment of fast scanning worms
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Very fast containment of scanning worms
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Making chord robust to byzantine attacks
ESA'05 Proceedings of the 13th annual European conference on Algorithms
Polymorphic worm detection using structural information of executables
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Hybrid Intrusion Detection with Weighted Signature Generation over Anomalous Internet Episodes
IEEE Transactions on Dependable and Secure Computing
Collaborative Detection of DDoS Attacks over Multiple Network Domains
IEEE Transactions on Parallel and Distributed Systems
An automated signature generation approach for polymorphic worm based on color coding
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Hi-index | 0.00 |
Fast and accurate generation of worm signatures is essential to contain zero-day worms at the Internet scale. Recent work has shown that signature generation can be automated by analyzing the repetition of worm substrings (that is, fingerprints) and their address dispersion. However, at the early stage of a worm outbreak, individual edge networks are often short of enough worm exploits for generating accurate signatures. This paper presents both theoretical and experimental results on a collaborative worm signature generation system (WormShield) that employs distributed fingerprint filtering and aggregation over multiple edge networks. By analyzing real-life Internet traces, we discovered that fingerprints in background traffic exhibit a Zipf-like distribution. Due to this property, a distributed fingerprint filtering reduces the amount of aggregation traffic significantly. WormShield monitors utilize a new distributed aggregation tree (DAT) to compute global fingerprint statistics in a scalable and load-balanced fashion. We simulated a spectrum of scanning worms including CodeRed and Slammer by using realistic Internet configurations of about 100,000 edge networks. On average, 256 collaborative monitors generate the signature of CodeRedI-v2 135 times faster than using the same number of isolated monitors. In addition to speed gains, we observed less than 100 false signatures out of 18.7-Gbyte Internet traces, yielding a very low false-positive rate. Each monitor only generates about 0.6 kilobit per second of aggregation traffic, which is 0.003 percent of the 18 megabits per second link traffic sniffed. These results demonstrate that the WormShield system offers distinct advantages in speed gains, signature accuracy, and scalability for large-scale worm containment.