Hitlist Worm Detection using Source IP Address History
نویسندگان
چکیده
Internet worms are a growing menace due to their increasing sophistication and speed of propagation. In this paper, we present a new worm detection scheme, History-based IP Worm Detection. It uses the difference in the distribution of source addresses between regular users and scanning hosts to distinguish between worm probes and normal accesses. This property is used to implement a weighted source address counting scheme, and a change point detection technique is used to detect surges in the rate of source addresses seen. In contrast to many existing techniques for worm detection, our approach is able to detect worms that only scan active addresses, while having linear time complexity.
منابع مشابه
Defending against hitlist worms using network address space randomization q
Worms are self-replicating malicious programs that represent a major security threat for the Internet, as they can infect and damage a large number of vulnerable hosts at timescales where human responses are unlikely to be effective. Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where ...
متن کاملTAO: Protecting Against Hitlist Worms Using Transparent Address Obfuscation
Sophisticated worms that use precomputed hitlists of vulnerable targets are especially hard to contain, since they are harder to detect, and spread at rates where even automated defenses may not be able to react in a timely fashion. Recent work has examined a proactive defense mechanism called Network Address Space Randomization (NASR) whose objective is to harden networks specifically against ...
متن کاملTaxonomy and Effectiveness of Worm Defense Strategies
While it is important to develop effective worm defense techniques, most previous work has focused on a single point in the design space. The sheer complexity and size of the design space of worm defense requires a more systematic study of the design space. We give the first systematic investigation of the design space of worm defense system strategies. We accomplish this by providing a taxonom...
متن کاملDetecting IP Spoofing by Modelling History of IP Address Entry Points
Since a lot of the networks do not apply source IP filtering to its outgoing traffic, an attacker may insert an arbitrary source IP address in an outgoing packet, i.e., IP address spoofing. This paper elaborates on a possibility to detect the spoofing in a large network peering with other networks. A proposed detection scheme is based on an analysis of NetFlow data collected at the entry points...
متن کاملCarrier-Grade Anomaly Detection Using Time-to-Live Header Information
Time-to-Live data in the IP header offers two interesting characteristics: First, different IP stacks pick different start TTL values. Second, each traversed router should decrement the TTL value. The combination of both offers host and route fingerprinting options. We present the first work to investigate Internet-wide TTL behavior at carrier scale and evaluate its fit to detect anomalies, pre...
متن کامل