CERIAS Tech Report 2005-80 CSD TR #05-027 BEHAVIORAL FOOTPRINTING: A NEW DIMENSION TO CHARACTERIZE

With increasing speed, virulence, and sophistication, self-propagating worms continue to pose a serious threat to the safety of the Internet. To effectively identify and defend against self-propagating worms, a critical task is to characterize a worm along multiple dimensions. Content-based fingerprinting is a well-established dimension for worm characterization by deriving the most representative content sequence as a worm’s signature. However, this dimension alone does not capture all aspects of a worm and may therefore lead to incomplete or inaccurate worm characterization. To expand the space of worm characterization, this paper proposes and justifies a new dimension, behavioral footprinting. Orthogonal and complementary to content-based fingerprinting, behavioral footprinting characterizes a worm’s unique behavior during each infection session, which covers the probing, exploitation, and replication phases of the infection session. By modeling each infection step as a behavior phenotype and the entire infection session as a sequential behavioral footprint, we show that behavioral footprinting captures worm-specific behavior which is inherently different from a normal access to the vulnerable service. We present advanced sequence analysis techniques to extract a worm’s behavioral footprint from its infection traces. Our evaluation with a number of realworld worms clearly demonstrates its feasibility and effectiveness in successfully extracting worm-characterizing behavioral footprints for all experimented worms. Furthermore, by comparing with content-based fingerprinting, our experiments demonstrate the uniqueness and robustness of behavioral footprinting in worm recognition and identification.