Defending against Internet Worms: A Signature-Based Approach

Defending against Internet Worms: A Signature-Based Approach (2005)

Cached

Download Links

[www.cise.ufl.edu]

Other Repositories/Bibliography

DBLP

by Yong Tang , Shigang Chen

Venue:	In Proceedings of IEEE INFOCOM05
Citations:	44 - 1 self

BibTeX

@INPROCEEDINGS{Tang05defendingagainst,
    author = {Yong Tang and Shigang Chen},
    title = {Defending against Internet Worms: A Signature-Based Approach},
    booktitle = {In Proceedings of IEEE INFOCOM05},
    year = {2005}
}

Bookmark

OpenURL

Abstract

With the capability of infecting hundreds of thousands of hosts, worms represent a major threat to the Internet. The defense against Internet worms is largely an open problem. This paper attempts to answer two important questions. Can a localized defense system detect new worms that were not seen before and, moreover, capture the attack packets? How to identify polymorphic worms from the normal background traffic? We have two major contributions. The first contribution is the design of a novel double-honeypot system, which is able to automatically detect new worms and isolate the attack traffic. The second contribution is the introduction of position-aware distribution signature (PADS), which fits in the gap between the traditional signatures and the anomaly-based systems. We propose two algorithms based on Expectation-Maximization (EM) and Gibbs Sampling for efficient computation of PADS from polymorphic worm samples. The new signature is capable of handling certain polymorphic worms. Our experiments show that the algorithms accurately separate new variants of the MSBlaster worm from the normal background traffic.

Citations

3012	Stochastic relaxation, Gibbs distributions, and the Bayesian restoration of images - Geman, Geman - 1984
425	How to own the internet in your spare time - Staniford, Paxson, et al. - 2002
407	Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks - Cowan, Pu, et al.
372	Detecting subtle sequence signals: a Gibbs sampling strategy for multiple alignment - Lawrence - 1993
252	Internet Quarantine: Requirements for Containing Self-Propagating Code - Moore, Shannon, et al. - 2003
239	transition analysis: A rule-based intrusion detection approach - Ilgun, Kermmerer, et al. - 1995
227	Network Security, Private Communication in a Public World - Kaufman, Perlman, et al. - 1995
222	Code-Red: a case study on the spread and victims of an internet worm - Moore, Shannon, et al. - 2002
180	Code Red Worm Propagation Modeling and Analysis - Zou, Gong, et al. - 2002
170	Throttling viruses: Restricting propagation to defeat malicious mobile code - Williamson - 2002
160	Anomalous payload-based network intrusion detection - WANG, STOLFO
158	A Virtual Honeypot Framework - Provos - 2004
142	Honeycomb - creating intrusion detection signatures using honeypots - Kreibich, Crowcroft - 2003
131	Monitoring and early warning for internet worms - Zou, Gao, et al. - 2003
123	Modeling the spread of active worms - Chen, Gao, et al. - 2003
110	The nides statistical component: description and justification - Javitz, Valdes - 1993
106	With microscope and tweezers: An analysis of the Internet virus of - Eichin, Rochlis - 1988
98	An expectation maximization (EM) algorithm for the identification and characterization of common sites in unaligned biopolymer sequences. Proteins: Struct - Lawrence, Reilly - 1990
92	Anomaly detection of web-based attacks - Kruegel, Vigna - 2003
88	Detecting computer and network misuse through the production-based expert system toolset (p-best - Lindqvist, Porras - 1999
85	Static Analysis of Executables to Detect Malicious Patterns,” Proc.USENIXSecuritySymp - Christodorescu, Jha - 2003
56	Directed-graph epidemiological models of computer viruses - White - 1991
22	Slowing down internet worms - Chen, Tang - 2004