Worm Traffic Analysis and Characterization

Internet worms are gaining ever more attention by the research community, representing one of the hot research topics in the field of network security. Our knowledge of phenomena related to Internet worms (from their intrinsic characteristics to their impact and to possible countermeasures) is still in its infancy. This is one of the main reasons for the existence of different kinds of research approaches. In this paper we focus on worm traffic analysis. We propose a general methodology, we discuss issues involved, and we present a software platform which can be used for this kind of study. Moreover, we show some interesting preliminary results from our traffic analysis of two of the most relevant worms that spread over the Internet: Witty and Slammer. Our results provide interesting evidences of (spatial and temporal) invariance and give some hints on worm traffic fingerprinting.

[1]  Evangelos P. Markatos,et al.  Efficient content-based detection of zero-day worms , 2005, IEEE International Conference on Communications, 2005. ICC 2005. 2005.

[2]  Jiang Wu,et al.  Effective worm detection for various scan techniques , 2006, J. Comput. Secur..

[3]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[4]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[5]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[6]  Sally Floyd,et al.  Difficulties in simulating the internet , 2001, TNET.

[7]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[8]  Antonio Pescapè,et al.  A packet-level characterization of network traffic , 2006, 2006 11th International Workshop on Computer-Aided Modeling, Analysis and Design of Communication Links and Networks.

[9]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[10]  Patrice Abry,et al.  A Wavelet-Based Joint Estimator of the Parameters of Long-Range Dependence , 1999, IEEE Trans. Inf. Theory.

[11]  Alberto Dainotti,et al.  An HMM Approach to Internet Traffic Modeling , 2006 .

[12]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[13]  Chase Cotton,et al.  Packet-level traffic measurements from the Sprint IP backbone , 2003, IEEE Netw..

[14]  Tian Bu,et al.  Design and Evaluation of a Fast and Robust Worm Detection Algorithm , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[15]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[16]  Philippe Owezarski,et al.  Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies , 2007, IEEE Transactions on Dependable and Secure Computing.

[17]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[18]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[19]  Philippe Owezarski On the impact of DoS attacks on Internet traffic characteristics and QoS , 2005, Proceedings. 14th International Conference on Computer Communications and Networks, 2005. ICCCN 2005..

[20]  George Kesidis,et al.  Preliminary results using scale-down to explore worm dynamics , 2004, WORM '04.

[21]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.