Computer worms randomly perform port-scans to find vulnerable hosts to intrude over the Internet. Malicious software varies its port-scan strategy, e.g., some hosts intensively perform scans on a particular target and some hosts scan uniformly over IP address blocks. In this paper, we propose a new automated worm classification scheme from distributed observations. Our proposed scheme can detect some statistics of worm behavior with a simple decision tree consisting of some nodes to classify source addresses with optimal threshold values. The choice of thresholds is automated to minimize the entropy gain of classification. Once a tree is constructed, the classification can be done very quickly and accurately. In this paper, we analyze a set of source addresses observed by the distributed sensors in IS- DAS observed with 30 sensors in one year in order to clarify a primary statistics of worms. Based on the statistical characteristics, we present the proposed classification and show th e performance of the proposed scheme.
[1]
J. Ross Quinlan,et al.
C4.5: Programs for Machine Learning
,
1992
.
[2]
Masato Terada,et al.
How Many Malicious Scanners Are in the Internet?
,
2006,
WISA.
[3]
Stefan Savage,et al.
Network Telescopes: Technical Report
,
2004
.
[4]
Donald F. Towsley,et al.
Code red worm propagation modeling and analysis
,
2002,
CCS '02.
[5]
David Moore,et al.
The Spread of the Witty Worm
,
2004,
IEEE Secur. Priv..
[6]
Vern Paxson,et al.
Exploiting underlying structure for detailed reconstruction of an internet-scale event
,
2005,
IMC '05.
[7]
Hari Balakrishnan,et al.
Fast portscan detection using sequential hypothesis testing
,
2004,
IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.
[8]
Stefan Savage,et al.
Inside the Slammer Worm
,
2003,
IEEE Secur. Priv..
[9]
George Kingsley Zipf,et al.
Human behavior and the principle of least effort
,
1949
.