Abstract
Traditional behavior-based worm detection can’t eliminate the influence of the worm-like P2P traffic effectively, as well as detect slow worms. To try to address these problems, this paper first presents a user habit model to describe the factors which influent the generation of network traffic, then a design of HPBRWD (Host Packet Behavior Ranking Based Worm detection) and some key issues about it are introduced. This paper has three contributions to the worm detection: 1) presenting a hierarchical user habit model; 2) using normal software and time profile to eliminate the worm-like P2P traffic and accelerate the detection of worms; 3) presenting HPBRWD to effectively detect worms. Experiments results show that HPBRWD is effective to detect worms.
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Security & Privacy l(4), 33–39 (2003)
Staniford, S., Moore, D., Paxson, V., Weaver, N.: The top speed of flash worms. In: Paxson, V. (ed.) Proc. of the 2004 ACM Workshop on Rapid Malcode, pp. 33–42. ACM Press, Washington (2004)
Kim, H., Karp, B.: Autograph: Toward automated distributed worm signature detection. In: Proceedings of USENIX Security, San Diego,CA (August 2004)
Kreibich, C., Crowcroft, J.: Honeycomn-creating intrusion detection signatures using honeypots. In: Proceedings of HotNets, Bostom, MA (November 2003)
Singh, S., Estan, C., Varghese, G., Savage, S.: Automated worm fingerprinting. In: Proceedings of OSDI, San Francisco, CA (December 2004)
Newsome, J., Karp, B., Song, D.: Polygraph:Automatically generating signatures for polymorphic worms. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA (May 2005)
Roesch, M.: Snort: Lightweight intrusion detection for networks. In: Proceedings of Conference on system administration (November 1999)
Paxson, V.: Bro: a system for detection network intruders in real time. Computer Networks 31 (December 1999)
Si-Han, Q., Wei-Ping, W., et al.: A new approach to forecasting Internet worms based on netlike association analysis. Journal On Communications 25(7), 62–70 (2004)
Staniford-Chen, S., et al.: GrIDS: A Graph-Based Intrusion Detection System for Large Networks. In: Proceedings of the 19th National Information Systems Security Conference, vol. 1, pp. 361–370 (1996)
Dubendorfer, T., Plattner, B.: Host Behavior Based Early Detection of Worm Outbreaks in Internet Backbones. In: Proceedings of 14th IEEE WET ICE/STCA security workshop, pp. 166–171 (2005)
Zou, C.C., Gong, W., Towsley, D., et al.: Monitoring and early detection of internet worms[A]. In: Proceedings of the 10th ACM Conference on Computer and Communications Security[C], Washington DC, USA, pp. 190–199. ACM Press, New York (2003)
Internet Threat Detection System Using Bayesian Estimation. In: 16th Annul FIRST Conference on Computer Security Incident Handling. 20 Sumeet Singh, Cristian Estanm (2004)
Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast ip networks. In: WET ICE 2005, pp. 172–177 (2005)
Dantu, R., Cangussu, J.W., et al.: Fast worm containment using feedback control. IEEE Transactions On Dependable And Secure Computing 4(2), 119–136 (2007)
Portokalidis, G., Bos, H.: SweetBait: Zero-hour worm detection and containment using low- and high-interaction honeypots. Computer Networks 51(5), 1256–1274 (2007)
Xiao, F., Hu, H., et al.: ASG - Automated signature generation for worm-like P2P traffic patterns. In: waim 2008 (2008)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Xiao, F., Hu, H., Liu, B., Chen, X. (2008). A Novel Worm Detection Model Based on Host Packet Behavior Ranking. In: Meersman, R., Tari, Z. (eds) On the Move to Meaningful Internet Systems: OTM 2008. OTM 2008. Lecture Notes in Computer Science, vol 5332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88873-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-540-88873-4_4
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88872-7
Online ISBN: 978-3-540-88873-4
eBook Packages: Computer ScienceComputer Science (R0)