CBSTM: Cloud-based Behavior Similarity Transmission Method to Detect Industrial Worms

Sophisticated industrial worms, such as Stuxnet, Flame, Duqu, have brought much threat in industrial networks. Most existing detection methods use content pattern or aggressive activities as a clue to the existence of worms, which are ineffective against worms that don't have their pattern been known and don't behave aggressively. To detect such worms, we proposed Cloud-based Behavior Similarity Transmission Method (CBSTM). CBSTM is a cloud-based method that utilizes the fundamental feature that a worm propagates from host to host. It monitors behaviors on each host in industrial networks. When same behaviors propagate among hosts and meet given criteria, corresponding hosts are believed to be infected by worms. When the worm is detected, the found behavior sequence is used as this worm's signature to realize instant worm detection afterwards. Since CBSTM doesn't need specific characteristics of worms, it can be generally applied to detecting any worms in industrial networks. The evaluation with detecting Stuxnet confirms the effectiveness of CBSTM.

[1]  Eugene H. Spafford,et al.  A generic virus scanner for C++ , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[2]  Hiroshi Shigeno,et al.  Detection of Silent Worms using Anomaly Connection Tree , 2007, 21st International Conference on Advanced Information Networking and Applications (AINA '07).

[3]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[4]  Aditya P. Mathur,et al.  A Survey of Malware Detection Techniques , 2007 .

[5]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[6]  Lior Rokach,et al.  Detecting unknown computer worm activity via support vector machines and active learning , 2012, Pattern Analysis and Applications.

[7]  Qijun Gu,et al.  PWC: A proactive worm containment solution for enterprise networks , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[8]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[9]  Songqing Chen,et al.  WormTerminator: an effective containment of unknown and polymorphic fast spreading worms , 2006, ANCS '06.

[10]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[11]  Yong Tang,et al.  An Automated Signature-Based Approach against Polymorphic Internet Worms , 2007, IEEE Trans. Parallel Distributed Syst..

[12]  Xuxian Jiang,et al.  vEye: behavioral footprinting for self-propagating worm detection and profiling , 2008, Knowledge and Information Systems.