A Real-Time Worm Outbreak Detection System Using Shared Counters

New networking applications such as Network Intrusion Detection Systems (NIDS) require finding the frequently repeated strings in a packet stream for further investigation. The strategy of finding frequently repeated strings within a given time frame of the packet stream has been quite efficient to detect the polymorphic worms. A novel real-time worm outbreak detection system using two-phase hashing is proposed in this paper. We use the concept of shared counters to minimize the memory cost while efficiently sifting through suspicious strings. We have simulated our system for various settings and packet stream sizes. Our system can support line speed of gigabit-rates with negligible false positive and negative.

[1]  T. V. Lakshman,et al.  Gigabit rate packet pattern-matching using TCAM , 2004, Proceedings of the 12th IEEE International Conference on Network Protocols, 2004. ICNP 2004..

[2]  Evangelos P. Markatos,et al.  Efficient content-based detection of zero-day worms , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[3]  S. Muthukrishnan,et al.  Detecting malicious network traffic using inverse distributions of packet contents , 2005, MineNet '05.

[4]  Moses Charikar,et al.  Finding frequent items in data streams , 2004, Theor. Comput. Sci..

[5]  Robert Stone,et al.  A Snapshot of Global Internet Worm Activity , 2001 .

[6]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[7]  Burton H. Bloom,et al.  Space/time trade-offs in hash coding with allowable errors , 1970, CACM.

[8]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[9]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[10]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[11]  C.C. Zou,et al.  Adaptive Defense Against Various Network Attacks , 2005, IEEE Journal on Selected Areas in Communications.

[12]  Yossi Matias,et al.  New sampling-based summary statistics for improving approximate query answers , 1998, SIGMOD '98.

[13]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[14]  John W. Lockwood,et al.  Design of a system for real-time worm detection , 2004, Proceedings. 12th Annual IEEE Symposium on High Performance Interconnects.

[15]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[16]  Daniel Shawcross Wilkerson,et al.  Winnowing: local algorithms for document fingerprinting , 2003, SIGMOD '03.

[17]  Haoyu Song,et al.  Multi-pattern signature matching for hardware network intrusion detection systems , 2005, GLOBECOM '05. IEEE Global Telecommunications Conference, 2005..

[18]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .