The limits of global scanning worm detectors in the presence of background noise

Internet worms cause billions of dollars in damage each year. To combat them, researchers have been exploring global worm detection systems to spot a new random scanning worm outbreak quickly. These systems passively listen for worm probes on unused IP addresses, looking for anomalous increases in probe traffic to distinguish the emergence of a new worm from background Internet noise.In this paper, we use analytic modeling, simulation, and measurement to understand how background noise impacts the detection ability of global scanning worm detectors. We investigate the relationship between the average background noise level, the number of IP addresses monitored, and the detection latency for two classes of global scanning worm detectors: scan packet-based and victims-based schemes. Our results show how worm detection latency degrades as a function of the background noise level. To compensate, global scanning worm detectors can increase the number of IP addresses that they monitor. However, given the growth trend of background noise levels, the number of IP addresses which must be monitored may quickly become unreasonable. Because of this, we conclude that global scanning worm detection schemes are unlikely to be competitive with local scanning and signature-based worm detection schemes.

[1]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[2]  Robert Morris,et al.  Designing a framework for active worm detection on global networks , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[3]  Guofei Gu,et al.  HoneyStat: Local Worm Detection Using Honeypots , 2004, RAID.

[4]  Eugene H. Spafford,et al.  The internet worm program: an analysis , 1989, CCRV.

[5]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[6]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[7]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[8]  Jiang Wu,et al.  An Effective Architecture and Algorithm for Detecting Worms with Various Scan , 2004, NDSS.

[9]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[10]  Donald F. Towsley,et al.  Worm propagation modeling and analysis under dynamic quarantine defense , 2003, WORM '03.

[11]  Guofei Gu,et al.  Worm Detection Using Local Networks , 2004 .

[12]  Guofei Gu,et al.  Worm detection, early warning and response based on local victim information , 2004, 20th Annual Computer Security Applications Conference.

[13]  Stuart E. Schechter,et al.  Fast Detection of Scanning Worm Infections , 2004, RAID.

[14]  Don Towsley,et al.  Routing worm: a fast, selective attack worm based on IP address information , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[15]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[16]  Somesh Jha,et al.  Fusion and Filtering in Distributed Intrusion Detection Systems , 2004 .

[17]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[18]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .

[19]  David M. Nicol,et al.  Simulating realistic network worm traffic for worm warning system design and testing , 2003, WORM '03.

[20]  Kevin A. Kwiat,et al.  Modeling the spread of active worms , 2003, IEEE INFOCOM 2003. Twenty-second Annual Joint Conference of the IEEE Computer and Communications Societies (IEEE Cat. No.03CH37428).

[21]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[22]  B. Karp,et al.  Autograph: Toward Automated, Distributed Worm Signature Detection , 2004, USENIX Security Symposium.

[23]  Matthew C. Elder,et al.  Recent worms: a survey and trends , 2003, WORM '03.

[24]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[25]  George Bakos,et al.  Early detection of Internet worm activity by metering ICMP destination unreachable messages , 2002, SPIE Defense + Commercial Sensing.

[26]  Robert S. Gray,et al.  Using sensor networks and data fusion for early detection of active worms , 2003, SPIE Defense + Commercial Sensing.

[27]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.