Worm evolution tracking via timing analysis

Rajab, Moheeb Abu; Monrose, Fabian; Terzis, Andreas

doi:10.1145/1103626.1103637

Cited by 19 publications

(28 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Besides, aiming at the flow characteristics of mobile worm in wireless networks, Sarat et al [9] improved random moonwalk algorithm so that the algorithm tends to be e«ective continuously. Rajab et al [3] presented a simple technique that uses the history data acquired through a network telescope to infer the actual sequence of host infections. A di«erent approach was proposed by Kumar et al [6] where a Witty worm was reversely engineered to recover the random scanning algorithm and corresponding initial seeds.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Online Accumulation: Reconstruction of Worm Propagation Path

Xiang

Guo

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Knowledge of the worm origin is necessary to forensic analysis, and knowledge of the initial causal flows supports diagnosis of how network defenses were breached. Fast and accurate online tracing network worm during its propagation, help to detect worm origin and the earliest infected nodes, and is essential for large-scale worm containment. This paper introduces the Accumulation Algorithm which can eAEciently tracing worm origin and the initial propagation paths, and presents an improved online Accumulation Algorithm using sliding detection windows. We also analyzes and verifies their detection accuracy and containment eAEcacy through simulation experiments in large scale network. Results indicate that the online Accumulation Algorithm can accurately tracing worms and eAEciently containing their propagation in an approximately real-time manner.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Tracing worm's attack paths (i.e., obtaining the propagation paths of network worm) [3,5,6] can dig out the initial victims and the infect sequence of hosts. Even if only partial path can be obtained, it still has significance in worm containment, evidence collecting and investigating.…”

Section: Introductionmentioning

confidence: 99%

Online Accumulation: Reconstruction of Worm Propagation Path

Xiang

Guo

2008

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…Specifically, we formulate the problem of estimating the worm infection sequence as a detection problem and derive the probability of error detection for different estimators. We demonstrate analytically and empirically that our method performs much better than the algorithm proposed in the previous work [13].…”

Section: Research Objectives and Contributionsmentioning

confidence: 80%

“…We show analytically and empirically that the mean squared error of our proposed estimators can be almost half of that of the naive estimator used in the previous work [13] in inferring the host infection time.…”

Section: Research Objectives and Contributionsmentioning

confidence: 90%

“…Hamadeh et al further described a general framework to recover the infection sequence for both TCP and UDP scanning worms from network telescope data [25]. Rajab et al applied the same data and studied the "infection and detection times" to infer the worm infection sequence [13]. Different from the above works, in Chapter 3, we employ advanced statistical estimation techniques to Internet worm tomography.…”

Section: Internet Worm Temporal Infection Structurementioning

confidence: 99%

See 1 more Smart Citation

Characterizing InternetWorm Spatial-Temporal Infection Structures

Wang¹

View full text Add to dashboard Cite

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Rajab

Monrose

Terzis

2006

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. Passive network monitors, known as telescopes or darknets, have been invaluable in detecting and characterizing malware outbreaks. However, as the use of such monitors becomes commonplace, it is likely that malware will evolve to actively detect and evade them. This paper highlights the threat of simple, yet effective, evasive attacks that undermine the usefulness of passive monitors. Our results raise an alarm to the research and operational communities to take proactive countermeasures before we are forced to defend against similar attacks appearing in the wild. Specifically, we show how lightweight, coordinated sampling of the IP address space can be used to successfully detect and evade passive network monitors. Equally troubling is the fact that in doing so attackers can locate the "live" IP space clusters and divert malware scanning solely toward active networks. We show that evasive attacks exploiting this knowledge are also extremely fast, overtaking the entire vulnerable population within seconds.

show abstract

Worm evolution tracking via timing analysis

Cited by 19 publications

References 16 publications

Online Accumulation: Reconstruction of Worm Propagation Path

Online Accumulation: Reconstruction of Worm Propagation Path

Characterizing InternetWorm Spatial-Temporal Infection Structures

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Contact Info

Product

Resources

About