Setting a Worm Attack Warning by using Machine Learning to Classify NetFlow Data

e present a worm warning system that leverages the reliability of IP-Flow and the effectiveness of machine learning techniques. Our system aims at setting an alarm in case a node is behaving maliciously. Typically, a host infected by a scanning or an email worm initiates a significant amount of traffic that does not rely on DNS to translate names into numeric IP addresses. Based on this fact, we capture and classify NetFlow records to extract features that uniquely identify worm's flow. The features are encapsulated into a set of feature patterns to train the support vector machines (SVM). A feature pattern includes: no of DNS requests, no of DNS responses, no of DNS normals, and no of DNS anomalies, for each PC on the network within a certain period of time. The SVM training is performed by using five of the most dangerous scanning worms: CodeRed, Slammer, Sasser, Witty, and Doomjuice as well as five email worms: Sobig, NetSky, MyDoom, Storm and Conficker. Eleven worms have been used during the test: Welchia, Dabber, BlueCode, Myfip, Nimda, Sober, Bagle, Francette, Sasser, MyDoom, and Conficker. The results of experiments manifest the soundness of the worm warning system.

[1]  Chuang Lin,et al.  A NetFlow based flow analysis and monitoring system in enterprise networks , 2008, Comput. Networks.

[2]  Mark A. Girolami,et al.  Detecting worm variants using machine learning , 2007, CoNEXT '07.

[3]  Chun Wei,et al.  Detection of networks blocks used by the Storm Worm botnet , 2008, ACM-SE 46.

[4]  Keisuke Ishibashi,et al.  Detecting mass-mailing worm infected hosts by mining DNS traffic data , 2005, MineNet '05.

[5]  Dai-sheng Luo,et al.  A New Attempt to Detect Polymorphic Worms Based on Semantic Signature and Data-Mining , 2006, 2006 First International Conference on Communications and Networking in China.

[6]  Abhishek Kumar,et al.  Detection of Super Sources and Destinations in High-Speed Networks: Algorithms, Analysis and Evaluation , 2006, IEEE Journal on Selected Areas in Communications.

[7]  Yan Gao,et al.  A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks , 2006, 26th IEEE International Conference on Distributed Computing Systems (ICDCS'06).

[8]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[9]  Bohn Stafleu van Loghum,et al.  Online … , 2002, LOG IN.

[10]  Kang G. Shin,et al.  Containment of network worms via per-process rate-limiting , 2008, SecureComm.

[11]  Wenke Lee,et al.  Botnet Detection: Countering the Largest Security Threat , 2010, Botnet Detection.

[12]  Sulaiman Mohd Nor,et al.  Detecting Worms Using Data Mining Techniques: Learning in the Presence of Class Noise , 2010, 2010 Sixth International Conference on Signal-Image Technology and Internet Based Systems.

[13]  Y. Musashi,et al.  Indirect Detection of Mass Mailing Worm-Infected PC terminals for Learners , 2004 .

[14]  Yong Tang,et al.  Concept, Characteristics and Defending Mechanism of Worms , 2009, IEICE Trans. Inf. Syst..

[15]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[16]  송왕철,et al.  IDS(Intrusion Detection System) , 2000 .

[17]  Kai Rannenberg,et al.  Detection of Mass Mailing Worm-infected PC terminals by Observing DNS Query Access , 2004 .

[18]  M. Siddiqui,et al.  Detecting Internet Worms Using Data Mining Techniques , 2008 .

[19]  A. Youssef,et al.  An implementation for a worm detection and mitigation system , 2008, 2008 24th Biennial Symposium on Communications.

[20]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[21]  Salvatore J. Stolfo,et al.  Data mining methods for detection of new malicious executables , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[22]  Hassen Saïdi,et al.  A Foray into Conficker's Logic and Rendezvous Points , 2009, LEET.

[23]  Peter Phaal,et al.  InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks , 2001, RFC.

[24]  Marcus A. Maloof,et al.  Learning to detect malicious executables in the wild , 2004, KDD.

[25]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[26]  Michael K. Reiter,et al.  Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs , 2007, RAID.

[27]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.