Origins: an approach to trace fast spreading worms to their roots

An automatic distributed mechanism is proposed to identify the propagation roots of fast spreading internet worms. The information obtained can be used to identify local worm outbreaks, identify network intrusion, identify internal network misuse, and help with the forensic trace-back after detection. It has been designed with simplicity, efficacy, and ease of deployment in mind. Two modes of operation are possible, yielding both real-time and post mortem propagation information. The proposed paradigm can work in unison with any intrusion detection, throttling and human-mediated responses. Simulation results show that even with only 20 30% deployment, worm origins can be pinpointed with great precision.

[1]  David Moore,et al.  Internet quarantine: requirements for containing self-propagating code , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[2]  David A. Maltz,et al.  Worm origin identification using random moonwalks , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[3]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[4]  Bill Cheswick,et al.  Tracing Anonymous Packets to Their Approximate Source , 2000, LISA.

[5]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[6]  Jose Nazario,et al.  Defense and Detection Strategies against Internet Worms , 2003 .

[7]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[8]  Matthew M. Williamson Design, implementation and test of an email virus throttle , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[9]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[10]  Craig Partridge,et al.  Single-packet IP traceback , 2002, TNET.

[11]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[12]  David L. Mills,et al.  Network Time Protocol (Version 3) Specification, Implementation and Analysis , 1992, RFC.

[13]  Christopher Kruegel,et al.  Connection-History Based Anomaly Detection , 2002 .

[14]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Matthew M. Williamson,et al.  Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[16]  Karl N. Levitt,et al.  The Design of GrIDS: A Graph-Based Intrusion Detection System , 2007 .

[17]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .