Darknet-Based Inference of Internet Worm Temporal Characteristics

Internet worm attacks pose a significant threat to network security and management. In this work, we coin the term Internet worm tomography as inferring the characteristics of Internet worms from the observations of Darknet or network telescopes that monitor a routable but unused IP address space. Under the framework of Internet worm tomography, we attempt to infer Internet worm temporal behaviors, i.e., the host infection time and the worm infection sequence, and thus pinpoint patient zero or initially infected hosts. Specifically, we apply statistical estimation techniques and propose method of moments, maximum likelihood, and linear regression estimators. We show analytically and empirically that our proposed estimators can better infer worm temporal characteristics than a naive estimator that has been used in the previous work. We also demonstrate that our estimators can be applied to worms using different scanning strategies such as random scanning and localized scanning.

[1]  Stefan Savage,et al.  Self-stopping worms , 2005, WORM '05.

[2]  Hayder Radha,et al.  Worm Detection at Network Endpoints Using Information-Theoretic Traffic Perturbations , 2008, 2008 IEEE International Conference on Communications.

[3]  Steven D. Gribble,et al.  The limits of global scanning worm detectors in the presence of background noise , 2005, WORM '05.

[4]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[5]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  Niki Pissinou,et al.  Inferring Internet Worm Temporal Characteristics , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[7]  Tian Bu,et al.  Design and Evaluation of a Fast and Robust Worm Detection Algorithm , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[8]  Hayder Radha,et al.  Detecting Malware Outbreaks Using a Statistical Model of Blackhole Traffic , 2008, 2008 IEEE International Conference on Communications.

[9]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[10]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[11]  S. Kay Fundamentals of statistical signal processing: estimation theory , 1993 .

[12]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[13]  Chuanyi Ji,et al.  Optimal worm-scanning method using vulnerable-host distributions , 2007, Int. J. Secur. Networks.

[14]  Ray Jain,et al.  The art of computer systems performance analysis - techniques for experimental design, measurement, simulation, and modeling , 1991, Wiley professional computing.

[15]  Chuanyi Ji,et al.  Understanding Localized-Scanning Worms , 2007, 2007 IEEE International Performance, Computing, and Communications Conference.

[16]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[17]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[18]  Donald F. Towsley,et al.  Multicast-based inference of network-internal loss characteristics , 1999, IEEE Trans. Inf. Theory.

[19]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[20]  Jelena Mirkovic,et al.  Correcting congestion-based error in network telescope's observations of worm dynamics , 2008, IMC '08.

[21]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[22]  David A. Maltz,et al.  Worm origin identification using random moonwalks , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[23]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[24]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[25]  Robert Nowak,et al.  Internet tomography , 2002, IEEE Signal Process. Mag..

[26]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[27]  Andreas Terzis,et al.  Worm evolution tracking via timing analysis , 2005, WORM '05.

[28]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[29]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[30]  John Heidemann,et al.  Detecting Early Worm Propagation through Packet Matching , 2004 .

[31]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[32]  Vern Paxson,et al.  Exploiting underlying structure for detailed reconstruction of an internet-scale event , 2005, IMC '05.

[33]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[34]  George Kesidis,et al.  Toward a Framework for Forensic Analysis of Scanning Worms , 2006, ETRICS.