On the detection and origin identification of mobile worms

Mobility can be exploited to spread malware among wireless nodes moving across network domains. Because such mobile worms spread across domains by exploiting the physical movement of mobile nodes, they cannot be contained by existing defenses. In this paper we address this new challenge using techniques for detecting the existence of stealthy mobile worms in the early stages of their infection and identifying the origins of such infections. The proposed mechanisms are based on random moonwalks which were originally used in post mortem analysis of Internet worms. However as we demonstrate, the original technique fails against mobile worms which are inherently stealthier than existing malware. In this paper, we extend the moonwalk algorithm by considering new heuristics and show that the proposed mechanism can reliably detect mobile worms during the early stages of infection. Our simulation results, based on network traces collected from a university-wide wireless network, show that a mobile infection can be reliably detected before it infects 10% of the vulnerable population. Furthermore, the proposed mechanism identifies the origin of the infection, by limiting the search for the initial victims to within 2% of the mobile node population

[1]  J. R. Scotti,et al.  Available From , 1973 .

[2]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[3]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[4]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[5]  Evangelos Kranakis,et al.  Detecting intra-enterprise scanning worms based on address resolution , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[6]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[7]  David A. Maltz,et al.  Worm origin identification using random moonwalks , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[8]  E. Kranakis,et al.  ARP-based Detection of Scanning Worms Within an Enterprise Network , 2005 .

[9]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[10]  Abhishek Kumar,et al.  Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event , 2005, Internet Measurement Conference.

[11]  P. Reiher,et al.  Mobile contagion: simulation of infection & defense , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[12]  Vyas Sekar,et al.  Forensic Analysis for Epidemic Attacks in Federated Networks , 2006, Proceedings of the 2006 IEEE International Conference on Network Protocols.

[13]  Andreas Terzis,et al.  Fast and Evasive Attacks: Highlighting the Challenges Ahead , 2006, RAID.

[14]  Félix Hernández-Campos,et al.  Spatio-temporal modeling of traffic workload in a campus WLAN , 2006, WICON '06.

[15]  Tristan Henderson,et al.  CRAWDAD: a community resource for archiving wireless data at Dartmouth , 2005, CCRV.

[16]  Tal Garfinkel,et al.  SANE: A Protection Architecture for Enterprise Networks , 2006, USENIX Security Symposium.

[17]  Andreas Terzis,et al.  On Using Mobility to Propagate Malware , 2007, 2007 5th International Symposium on Modeling and Optimization in Mobile, Ad Hoc and Wireless Networks and Workshops.

[18]  Martín Casado,et al.  Ethane: taking control of the enterprise , 2007, SIGCOMM '07.

[19]  Stelios Sidiroglou,et al.  Proximity Breeds Danger: Emerging Threats in Metro-area Wireless Networks , 2007, USENIX Security Symposium.