Detecting Early Worm Propagation through Packet Matching

In this paper, we present DEWP, a router-based system designed to automatically detect and quarantine Internet worm propagation. DEWP detects worm probing trac by matching destination port numbers between incoming and outgoing connections. This approach does not require knowledge of worm packet contents or proles of normal trafc conditions; it can automatically detect and suppress worms due to their unusual trac patterns. We describe how DEWP works and evaluate its performance with simulations. We study the speed of detection and the eectiv eness of vulnerable host protection relative to factors including worm scanning techniques, DEWP deployment coverage and detection intervals. We also investigate false detections with network trace playback. We show that DEWP detects worm propagation within about 4 seconds. By blocking worm probing trac automatically, DEWP can protect more than 99% hosts from random-scanning worms.

[1]  Ellen W. Zegura,et al.  A quantitative comparison of graph-based models for Internet topology , 1997, TNET.

[2]  Ellen W. Zegura,et al.  How to model an internetwork , 1996, Proceedings of IEEE INFOCOM '96. Conference on Computer Communications.

[3]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[4]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[5]  Sumeet Singh,et al.  The EarlyBird System for Real-time Detection of Unknown Worms , 2005 .

[6]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[7]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[8]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[9]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[10]  Honeypots,et al.  Honeypots Definitions and Value of Honeypots , .

[11]  Matthew M. Williamson,et al.  Implementing and Testing a Virus Throttle , 2003, USENIX Security Symposium.

[12]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[13]  Herbert W. Hethcote,et al.  The Mathematics of Infectious Diseases , 2000, SIAM Rev..

[14]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[15]  Hakim Weatherspoon,et al.  Netbait: a Distributed Worm Detection Service , 2003 .

[16]  Robert Morris,et al.  Designing a framework for active worm detection on global networks , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[17]  David M. Nicol,et al.  A mixed abstraction level simulation model of large-scale Internet worm infestations , 2002, Proceedings. 10th IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems.

[18]  John Heidemann,et al.  Rapid model parameterization from tra c measurement , 2002 .