Enhancing SWORD to Detect Zero-Day-Worm-Infected Hosts

Authors:
Shad Stafford; Jun Li;Toby Ehrenkranz
Affiliations:
Department of Computer Science University of OregonEugene OR 97403-1202, USA;Department of Computer Science University of OregonEugene OR 97403-1202, USA;Department of Computer Science University of OregonEugene OR 97403-1202, USA
Venue:
Simulation
Year:
2007

Citing 14
Cited 1

Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator

ACM Transactions on Modeling and Computer Simulation (TOMACS) - Special issue on uniform random number generation
Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Inside the Slammer Worm

IEEE Security and Privacy
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
Honeycomb: creating intrusion detection signatures using honeypots

ACM SIGCOMM Computer Communication Review
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Worm Origin Identification Using Random Moonwalks

SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Simulation and Analysis on the Resiliency and Efficiency of Malnets

Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation
Automated worm fingerprinting

OSDI'04 Proceedings of the 6th conference on Symposium on Opearting Systems Design & Implementation - Volume 6
Implementing and testing a virus throttle

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Network intrusion detection

IEEE Network: The Magazine of Global Internetworking

Online Accumulation: Reconstruction of Worm Propagation Path

NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing

Quantified Score

Hi-index	0.00

Visualization

Abstract

Once a host is infected by an Internet worm, prompt action must be taken before that host does more harm to its local network and the rest of the Internet. It is therefore critical to quickly detect that a worm has infected a host. In this paper, we enhance our SWORD system to allow for the detection of infected hosts and evaluate its performance. This enhanced version of SWORD inherits the advantages of the original SWORD: it does not rely on inspecting traffic payloads to search for worm byte patterns or setting up a honeypot to lure worm traffic. Furthermore, while acting as a host-level detection system, it runs at a network's gateway and stays transparent to individual hosts. We show that our enhanced SWORD system is able to quickly and accurately detect if a host is infected by a zero-day worm. Furthermore, the detection is shown to be effective against worms of different types and speeds, including polymorphic worms