Defending against Internet worms: a signature-based approach

@inproceedings{citeulike:455590, abstract = {With the capability of infecting hundreds of thousands of hosts, worms represent a major threat to the Internet. The defense against Internet worms is largely an open problem. This paper investigates two important problems. Can a localized defense system detect new worms that were not seen before and moreover, capture the attack packets? How to identify polymorphic worms from the normal background traffic? We have two major contributions here. The first contribution is the design of a novel double-honeypot system, which is able to automatically detect new worms and isolate the attack traffic. The second contribution is the proposal of a new type of position-aware distribution signatures (PADS), which fit in the gap between the traditional signatures and the anomaly-based systems. We propose two algorithms based on expectation-maximization (EM) and Gibbs sampling for efficient computation of PADS from polymorphic worm samples. The new signature is capable of handling certain polymorphic worms. Our experiments show that the algorithms accurately separate new variants of the MSBlaster worm from the normal-traffic background.}, author = {Tang, Y. and Chen, S. }, citeulike-article-id = {455590}, journal = {INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE}, keywords = {ids, intrusion\_detection, worm}, pages = {1384--1394 vol. 2}, posted-at = {2006-01-08 16:57:48}, priority = {3}, title = {Defending against Internet worms: a signature-based approach}, url = {http://ieeexplore.ieee.org/xpls/abs\_all.jsp?arnumber=1498363}, volume = {2}, year = {2005} }

TY - CONF ID - citeulike:455590 L3 - citeulike-article-id:455590 TI - Defending against Internet worms: a signature-based approach JF - INFOCOM 2005. 24th Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings IEEE VL - 2 SP - 1384 EP - 1394 vol. 2 N2 - With the capability of infecting hundreds of thousands of hosts, worms represent a major threat to the Internet. The defense against Internet worms is largely an open problem. This paper investigates two important problems. Can a localized defense system detect new worms that were not seen before and moreover, capture the attack packets? How to identify polymorphic worms from the normal background traffic? We have two major contributions here. The first contribution is the design of a novel double-honeypot system, which is able to automatically detect new worms and isolate the attack traffic. The second contribution is the proposal of a new type of position-aware distribution signatures (PADS), which fit in the gap between the traditional signatures and the anomaly-based systems. We propose two algorithms based on expectation-maximization (EM) and Gibbs sampling for efficient computation of PADS from polymorphic worm samples. The new signature is capable of handling certain polymorphic worms. Our experiments show that the algorithms accurately separate new variants of the MSBlaster worm from the normal-traffic background. KW - ids KW - intrusion_detection KW - worm AU - Tang, Y AU - Chen, S PY - 2005/// UR - http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1498363 ER -