TY - GEN
T1 - Signature metrics for accurate and automated worm detection
AU - Gopalan, Prem
AU - Jamieson, Kyle
AU - Mavrommatis, Panayiotis
AU - Poletto, Massimiliano
N1 - Copyright:
Copyright 2013 Elsevier B.V., All rights reserved.
PY - 2006
Y1 - 2006
N2 - This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating 2 false positives/hour.
AB - This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating 2 false positives/hour.
KW - Network worms
KW - Traffic analysis
KW - Worm signatures
UR - http://www.scopus.com/inward/record.url?scp=34547232533&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34547232533&partnerID=8YFLogxK
U2 - 10.1145/1179542.1179557
DO - 10.1145/1179542.1179557
M3 - Conference contribution
AN - SCOPUS:34547232533
SN - 1595934472
SN - 9781595934475
T3 - Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
SP - 65
EP - 72
BT - Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
T2 - 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Y2 - 3 November 2006 through 3 November 2006
ER -