A Fast Worm Scan Detection Tool for VPN Congestion Avoidance
نویسندگان
چکیده
Finding the cause for congested virtual private network (VPN) links that connect an office network over the Internet to remote subsidiaries can be a hassle. Scan traffic of worm infected hosts is one important possible cause. We developed a scan detection tool, which continuously monitors network traffic on VPN gateway(s) and that reliably detects and reports worm infected hosts by tracking anomalous TCP, UDP and ICMP traffic. Our tool is not sensitive to most P2P software and was successfully tested on real production traffic as well as with traces of captured real and simulated worm traffic. Our various tests demonstrated a low false positive rate and a high detection rate. Our open source tool is an extension to the free intrusion detection system Bro. It was developed jointly by ETH Zurich and Open Systems, a company offering managed security services, one of which is based on the presented worm scan detection tool.
منابع مشابه
Modeling, Analysis, and Mitigation of Internet Worm Attacks
In recent years, worms have become one of the major threats to the security of the Internet. In this talk, I will present our research on modeling, analysis, and mitigation of Internet worm attacks, which includes: (1) We present a “two-factor worm model”, which considers the impact of human counteractions and network congestion on a worm's propagation. (2) To detect the presence of an Internet...
متن کاملImplementation of Congestion detection and avoidance of TARF in Wireless Sensor Networks
Wireless Sensor Networks are gaining popularity due to the fact that they offer low-cost solutions for a variety of application areas, Wireless Sensor Network consists of multiple low cost sensors, densely deployed to monitor a particular event. Each sensor is deployed in different location for different purpose. Because of the unbalanced conditions, results of a particular sensor or group of s...
متن کاملA Multi-level Security Based Autonomic Parameter Selection Approach for an Effective and Early Detection of Internet Worms
In light of the fast propagation of recent Internet worms, human intervention in securing the Internet during worm outbreaks is of little significance. In order to reduce the damage worms may cause, existing Intrusion Detection Systems (IDSs) need to be adaptive to the security-related requirements of their monitoring networks. This paper presents a Multilevel security based Autonomic Parameter...
متن کاملModelling Tcp Traffic: a State-based Approach
In this paper, a state-based modelling of TCP traffic is presented. During a connection, TCP stays in either of the following states: Slow Start, Congestion Avoidance, Loss Recovery (Fast Recovery and/or Fast Retransmit) and Time Out. We propose the use of discrete-time batch Markov process (DBMAP) to model the traffic generated by a TCP connection. The main contributions of the paper are the f...
متن کاملTCP-Ho: A Congestion Control Algorithm with Design and Performance Evaluation
A critical design issue of Transmission Control Protocol (TCP) is its congestion control that allows the protocol to adjust the endto-end communication rate based on the detection of packet loss. However, TCP congestion control may function poorly during its slow start and congestion avoidance phases. This is because TCP sends bursts of packets with the fast window increase and the ACK-clock ba...
متن کامل