Signature metrics for accurate and automated worm detection

Prem Gopalan; Kyle Jamieson; Panayiotis Mavrommatis; Massimiliano Poletto

doi:10.1145/1179542.1179557

Signature metrics for accurate and automated worm detection

Prem Gopalan, Kyle Jamieson, Panayiotis Mavrommatis, Massimiliano Poletto

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Scopus citations

Abstract

This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating 2 false positives/hour.

Original language	English (US)
Title of host publication	Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Pages	65-72
Number of pages	8
DOIs	https://doi.org/10.1145/1179542.1179557
State	Published - 2006
Externally published	Yes
Event	4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06 - Alexandria, VA, United States Duration: Nov 3 2006 → Nov 3 2006

Publication series

Name	Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

Other

Other	4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06
Country/Territory	United States
City	Alexandria, VA
Period	11/3/06 → 11/3/06

All Science Journal Classification (ASJC) codes

Software

Keywords

Network worms
Traffic analysis
Worm signatures

Access to Document

10.1145/1179542.1179557

Cite this

Gopalan, P., Jamieson, K., Mavrommatis, P., & Poletto, M. (2006). Signature metrics for accurate and automated worm detection. In Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06 (pp. 65-72). (Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06). https://doi.org/10.1145/1179542.1179557

Gopalan, Prem ; Jamieson, Kyle ; Mavrommatis, Panayiotis et al. / Signature metrics for accurate and automated worm detection. Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06. 2006. pp. 65-72 (Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06).

@inproceedings{8c153716d7b441708da27c078d1ad263,

title = "Signature metrics for accurate and automated worm detection",

abstract = "This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating 2 false positives/hour.",

keywords = "Network worms, Traffic analysis, Worm signatures",

author = "Prem Gopalan and Kyle Jamieson and Panayiotis Mavrommatis and Massimiliano Poletto",

note = "Copyright: Copyright 2013 Elsevier B.V., All rights reserved.; 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06 ; Conference date: 03-11-2006 Through 03-11-2006",

year = "2006",

doi = "10.1145/1179542.1179557",

language = "English (US)",

isbn = "1595934472",

series = "Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06",

pages = "65--72",

booktitle = "Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06",

}

Gopalan, P, Jamieson, K, Mavrommatis, P & Poletto, M 2006, Signature metrics for accurate and automated worm detection. in Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06. Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06, pp. 65-72, 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06, Alexandria, VA, United States, 11/3/06. https://doi.org/10.1145/1179542.1179557

Signature metrics for accurate and automated worm detection. / Gopalan, Prem; Jamieson, Kyle; Mavrommatis, Panayiotis et al.
Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06. 2006. p. 65-72 (Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Signature metrics for accurate and automated worm detection

AU - Gopalan, Prem

AU - Jamieson, Kyle

AU - Mavrommatis, Panayiotis

AU - Poletto, Massimiliano

PY - 2006

Y1 - 2006

N2 - This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating 2 false positives/hour.

AB - This paper presents two simple algorithms, TreeCount and SenderCount that detect a broad range of exploit-based and email worms, respectively. These algorithms, when combined with automated payload fingerprinting, generate precise worm payload signatures. We show that fundamental traffic properties of most worms, such as infected hosts' attempts to propagate the worm, can serve to detect signatures of non-polymorphic worms reliably and rapidly.Our prototype monitored over 200 Mb/s of university traffic for 3 months. TreeCount generated new signatures during the Zotob outbreak with no false positives, and also identified known worms like Sasser and Phatbot. SenderCount identified email worms and a spam cluster, while generating 2 false positives/hour.

KW - Network worms

KW - Traffic analysis

KW - Worm signatures

UR - http://www.scopus.com/inward/record.url?scp=34547232533&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34547232533&partnerID=8YFLogxK

U2 - 10.1145/1179542.1179557

DO - 10.1145/1179542.1179557

M3 - Conference contribution

AN - SCOPUS:34547232533

SN - 1595934472

SN - 9781595934475

T3 - Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

SP - 65

EP - 72

BT - Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

T2 - 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06

Y2 - 3 November 2006 through 3 November 2006

ER -

Gopalan P, Jamieson K, Mavrommatis P, Poletto M. Signature metrics for accurate and automated worm detection. In Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06. 2006. p. 65-72. (Proceedings of the 4th ACM Workshop on Recurring Malcode, WORM'06. Co-located with the 13th ACM Conference on Computer and Communications Security, CCS'06). doi: 10.1145/1179542.1179557

Signature metrics for accurate and automated worm detection

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this