skip to main content
10.1145/1179542.1179557acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
Article

Signature metrics for accurate and automated worm detection

Published: 03 November 2006 Publication History

Abstract

This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating ∼2 false positives/hour.

References

[1]
Inktomi web search faq. Technical report. http://support.inktomi.com/Search Engine/Product Info/FAQ/searchfaq.html#slurp.
[2]
Malicious software encyclopedia: Worm:win32/zotob.a.Technical report. http://www.microsoft.com/security/incident/zotob.mspx.
[3]
The spread of the witty worm, caida. Technical report. http://www.caida.org/analysis/security/witty.
[4]
A. Broder. Some applications of Rabin's fingerprinting method. In R. Capocelli et al. eds., Sequences II: Methods in Communications, Security, and Computer Science, pages 143--152, 1993.
[5]
A. Broder and M. Mitzenmacher. Network applications of bloom filters: A survey. In Proceedings of the Allerton Conference, 2002.
[6]
Z. Chen, L. Gao, and K. Kwiat. Modeling the spread of active worms. In Proceedings of IEEE INFOCOM, 2003.
[7]
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: end-to-end containment of internet worms. In Proceedings of ACM SOSP, October 2005.
[8]
D. Ellis, J. Aiken, K. Attwood, and S. Tenaglia. A behavioral approach to worm detection. In Proceedings of ACM WORM, Washington, DC, October 2004.
[9]
J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In Proceedings of IEEE Security and Privacy, Oakland, CA, May 2004.
[10]
H. A. Kim and B. Karp. Toward automated, distributed worm signature detection. In Proceedings of Usenix Security, San Diego, CA, August 2004.
[11]
E. Kohler, R. Morris, B. Chen, J. Jannotti, and M. F. Kasshoek. The Click modular router. ACM TOCS, 18(3):263--297, August 2000.
[12]
C. Kreibich and J. Crowcroft. Honeycomb-creating intrusion detection signatures using honeypots. In Proceedings of ACM HotNets-II, November 2003.
[13]
D. Moore, C. Shannon, G. Voelker, and S. Savage. Requirements for containing self-propagating code. In Proceedings of IEEE INFOCOM, April 2003.
[14]
J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proceedings of IEEE Security and Privacy, May 2005.
[15]
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of NDSS 12, 2005.
[16]
M. Roesch. Snort: Lightweight intrusion detection for networks. In Proceedings of Usenix LISA, 1999.
[17]
B. Schroder. Ordered Sets - An Introduction. Birkhauser, Boston, 2003.
[18]
S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proceedings of ACM SOSP, December 2004.
[19]
S. Venkataraman, D. Song, P. Gibbons, and A. Blum. New streaming algorithms for fast detection of superspreaders. In Proceedings of NDSS 12, 2005.
[20]
N. Weaver, V. Paxson, S. Staniford, and R. Cunningham. A taxonomy of computer worms. In Proceedings of ACM WORM, 2003.
[21]
M. Williamson. Design, implementation and test of an email virus throttle. In Proceedings of ACSAC 19, 2003.
[22]
Y. Xie, V. Sekar, D. Maltz, M. Reiter, and H. Zhang. Worm origin identification using random moonwalks. In Proceedings of IEEE Security and Privacy, 2005.

Cited By

View all
  • (2013)A mathematical exploitation of simulated uniform scanning botnet propagation dynamics for early stage detection and managementJournal of Computer Virology and Hacking Techniques10.1007/s11416-013-0190-710:1(29-51)Online publication date: 27-Aug-2013
  • (2009)Concept, Characteristics and Defending Mechanism of WormsIEICE Transactions on Information and Systems10.1587/transinf.E92.D.799E92-D:5(799-809)Online publication date: 2009
  • (2007)SWorDProceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II10.5555/1784707.1784767(1752-1769)Online publication date: 25-Nov-2007
  • Show More Cited By

Index Terms

  1. Signature metrics for accurate and automated worm detection

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    WORM '06: Proceedings of the 4th ACM workshop on Recurring malcode
    November 2006
    88 pages
    ISBN:1595935517
    DOI:10.1145/1179542
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 03 November 2006

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. network worms
    2. traffic analysis
    3. worm signatures

    Qualifiers

    • Article

    Conference

    CCS06
    Sponsor:

    Upcoming Conference

    CCS '25

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)0
    • Downloads (Last 6 weeks)0
    Reflects downloads up to 18 Feb 2025

    Other Metrics

    Citations

    Cited By

    View all
    • (2013)A mathematical exploitation of simulated uniform scanning botnet propagation dynamics for early stage detection and managementJournal of Computer Virology and Hacking Techniques10.1007/s11416-013-0190-710:1(29-51)Online publication date: 27-Aug-2013
    • (2009)Concept, Characteristics and Defending Mechanism of WormsIEICE Transactions on Information and Systems10.1587/transinf.E92.D.799E92-D:5(799-809)Online publication date: 2009
    • (2007)SWorDProceedings of the 2007 OTM confederated international conference on On the move to meaningful internet systems: CoopIS, DOA, ODBASE, GADA, and IS - Volume Part II10.5555/1784707.1784767(1752-1769)Online publication date: 25-Nov-2007
    • (2007)SWorD– A Simple Worm Detection Scheme On the Move to Meaningful Internet Systems 2007: CoopIS, DOA, ODBASE, GADA, and IS10.1007/978-3-540-76843-2_44(1752-1769)Online publication date: 25-Nov-2007

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Figures

    Tables

    Media

    Share

    Share

    Share this Publication link

    Share on social media