{"title":"Host behaviour based early detection of worm outbreaks in Internet backbones","authors":"Thomas Dübendorfer, B. Plattner","doi":"10.1109/WETICE.2005.40","DOIUrl":null,"url":null,"abstract":"We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to individual hosts like ratio of outgoing to incoming traffic, responsiveness and number of connections. These properties are used to group hosts into distinct behaviour classes. We use flow-level (Cisco Net Flow) information exported by the border routers of a Swiss Internet backbone provider (AS559/SWITCH). By tracking the cardinality of each class over time and alarming on fast increases and other significant changes, we can early and reliably detect worm outbreaks. We successfully validated our method with archived flow-level traces of recent major Internet e-mail based worms such as MyDoomA and Sobig.F, and fast spreading network worms like Witty and Blaster. Our method is generic in the sense that it does not require any previous knowledge about the exploits and scanning method used by the worms. It can give a set of suspicious hosts in near real-time that have recently and drastically changed their network behaviour and hence are highly likely to be infected.","PeriodicalId":128074,"journal":{"name":"14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"42","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WETICE.2005.40","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 42
Abstract
We propose a novel near real-time method for early detection of worm outbreaks in high-speed Internet backbones. Our method attributes several behavioural properties to individual hosts like ratio of outgoing to incoming traffic, responsiveness and number of connections. These properties are used to group hosts into distinct behaviour classes. We use flow-level (Cisco Net Flow) information exported by the border routers of a Swiss Internet backbone provider (AS559/SWITCH). By tracking the cardinality of each class over time and alarming on fast increases and other significant changes, we can early and reliably detect worm outbreaks. We successfully validated our method with archived flow-level traces of recent major Internet e-mail based worms such as MyDoomA and Sobig.F, and fast spreading network worms like Witty and Blaster. Our method is generic in the sense that it does not require any previous knowledge about the exploits and scanning method used by the worms. It can give a set of suspicious hosts in near real-time that have recently and drastically changed their network behaviour and hence are highly likely to be infected.
我们提出了一种新的接近实时的方法,用于早期检测高速互联网骨干网中的蠕虫爆发。我们的方法将几个行为属性归因于单个主机,如传出与传入流量的比例,响应性和连接数。这些属性用于将主机分组为不同的行为类。我们使用由瑞士互联网主干提供商(AS559/SWITCH)的边界路由器导出的流级(Cisco Net Flow)信息。通过随时间跟踪每个类的基数,并对快速增长和其他重大变化发出警报,我们可以早期可靠地检测到蠕虫的爆发。我们成功地用最近主要的互联网电子邮件蠕虫(如MyDoomA和Sobig)的存档流级痕迹验证了我们的方法。F,以及像诙谐和爆破这样快速传播的网络蠕虫。我们的方法是通用的,因为它不需要任何关于蠕虫使用的攻击和扫描方法的先前知识。它可以提供一组可疑的主机在近实时,最近和急剧改变他们的网络行为,因此极有可能被感染。
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
