Differencing Worm Flows and Normal Flows for Automatic Generation of Worm Signatures

Simkhada, Kumar; Tsunoda, Hiroaki; Waizumi, Yuji; Nemoto, Y.

doi:10.1109/ism.2005.49

Cited by 5 publications

(9 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main objective here is to sort worms (and worms only) at MSM and generate a highly accurate signature to ensure a high detection rate against the same kind of worms that try to penetrate into the network. Our results, illustrated in Reference [10] and in Section 5.2 demonstrate that the accuracy of these signatures for NetSky and Beagle traces used in our experiments is over 99.5%.…”

Section: Implementation Issues and Discussionmentioning

confidence: 56%

“…Polygraph [21] addresses this problem by using multiple substrings as signature. In Reference [10], the authors also generate multiple substring signature by differentiating normal flows from worm flows.…”

Section: Background and Related Workmentioning

confidence: 99%

“…A MSM uses cluster analysis to sort worms out of the suspicious contents transmitted by its local managers. The MSM then automatically generates signature from the sorted worms by using a differentiation-based approach presented in Reference [10]. It then sends the generated signature to the GSM.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Combating against internet worms in large‐scale networks: an autonomic signature‐based solution

Simkhada¹,

Taleb²,

Waizumi³

et al. 2008

Security Comm Networks

View full text Add to dashboard Cite

In this paper, we propose a signature-based hierarchical email worm detection (SHEWD) system to detect e-mail worms in large-scale networks. The proposed system detects novel worms and instantly generates their signatures. This feature helps to check the spread of any kind of worm-known or unknown.We envision a two-layer hierarchical architecture comprising local security managers (LSMs), metropolitan security managers (MSM), and a global security manager (GSM). Local managers collect suspicious flows and hand them to metropolitan managers. Metropolitan managers then use cluster analysis to sort worms from the suspicious flows. The sorted worms are used to generate the worm signature which is relayed to the global manager and then to all the collaborating networks. A separate scheme is proposed to automatically select suitable values of the system parameters. This parameter selection procedure takes into account the current network state and the threat level of the ongoing attack. The performance of the whole system is investigated using real network traffic with traces of worms. Experimental results demonstrate that the proposed scheme is capable to accurately detect email worms during the early phase of their propagations.

show abstract

Section: Implementation Issues and Discussionmentioning

confidence: 56%

Section: Background and Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Combating against internet worms in large‐scale networks: an autonomic signature‐based solution

Simkhada¹,

Taleb²,

Waizumi³

et al. 2008

Security Comm Networks

View full text Add to dashboard Cite

show abstract

“…The sorted worms are used to generate the signature for the propagating worm. The generated signature consists of multiple substrings that commonly exist in worm flows but not in normal flows [11].…”

Section: Background and System Performance Metricsmentioning

confidence: 99%

“…The authors propose a signature-based hierarchical worm detection technique for large scale networks in [10] and a multiple-substrings signature generation approach in [11]. These systems deploy several parameters in order to enforce suitable security policies.…”

Section: Introductionmentioning

confidence: 99%

NIS08-1: A Multi-level Security Based Autonomic Parameter Selection Approach for an Effective and Early Detection of Internet Worms

et al. 2006

View full text Add to dashboard Cite

In light of the fast propagation of recent Internet worms, human intervention in securing the Internet during worm outbreaks is of little significance. In order to reduce the damage worms may cause, existing Intrusion Detection Systems (IDSs) need to be adaptive to the security-related requirements of their monitoring networks. This paper presents a Multilevel security based Autonomic Parameter Selector (MAPS) that can be implemented over any existing IDSs. The deployment architecture consists of a number of hierarchically placed local security managers, metropolitan security managers, and a global security manager. These security managers report events to a Worm Advisory System (WAS). WAS accordingly sets the threat level of the network. Based on this level, MAPS selects the most optimum parameters for the entire IDS to combat against the propagating worm. The MAPS architecture maintains the system performance by constantly evaluating three metrics, namely False Negative Avoidance, False Positive Avoidance, and Performance Overhead. Extensive experiments, using real network traffic and a recently proposed worm detection system, demonstrate that MAPS is capable of advising an IDS with optimum parameter values to effectively and promptly hinder further propagation of worms.

show abstract

An Efficient Signature-Based Approach for Automatic Detection of Internet Worms over Large-Scale Networks

Simkhada

Taleb

Waizumi

et al. 2006

2006 IEEE International Conference on Communications

View full text Add to dashboard Cite

Differencing Worm Flows and Normal Flows for Automatic Generation of Worm Signatures

Cited by 5 publications

References 9 publications

Combating against internet worms in large‐scale networks: an autonomic signature‐based solution

Combating against internet worms in large‐scale networks: an autonomic signature‐based solution

NIS08-1: A Multi-level Security Based Autonomic Parameter Selection Approach for an Effective and Early Detection of Internet Worms

An Efficient Signature-Based Approach for Automatic Detection of Internet Worms over Large-Scale Networks

Contact Info

Product

Resources

About