monitoringEarlyWarning - Monitoring and Early Warning for...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Monitoring and Early Warning for Internet Worms Cliff Changchun Zou, Lixin Gao, Weibo Gong, Don Towsley University of Massachusetts at Amherst { czou, lgao, gong } @ecs.umass.edu, towsley@cs.umass.edu ABSTRACT After the Code Red incident in 2001 and the SQL Slammer in January 2003, it is clear that a simple self-propagating worm can quickly spread across the Internet, infects most vulnerable computers before people can take effective coun- termeasures. The fast spreading nature of worms calls for a worm monitoring and early warning system. In this paper, we propose effective algorithms for early detection of the presence of a worm and the corresponding monitoring sys- tem. Based on epidemic model and observation data from the monitoring system, by using the idea of detecting the trend, not the rate of monitored illegitimated scan trac, we propose to use a Kalman filter to detect a worms propa- gation at its early stage in real-time. In addition, we can ef- fectively predict the overall vulnerable population size, and correct the bias in the observed number of infected hosts. Our simulation experiments for Code Red and SQL Slam- mer show that with observation data from a small fraction of IP addresses, we can detect the presence of a worm when it infects only 1% to 2% of the vulnerable computers on the Internet. Categories and Subject Descriptors K.6.5 [ Management of computing and information systems ]: Security and Protection Invasive software General Terms Security, Algorithms Keywords Monitoring, Early detection, Worm propagation 1. INTRODUCTION Since the Morris worm in 1988 [21], the security threat posed by worms has steadily increased, especially in the last several years. In 2001, the Code Red and Nimda infected Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CCS03, October 2730, 2003, Washington, DC, USA. Copyright 2003 ACM 1-58113-738-9/03/0010 ... $ 5.00. hundreds of thousands of computers [17, 22], causing mil- lions of dollars loss to our society [8]. After a relatively quiet period, the SQL Slammer appeared on January 25th, 2003, and quickly spread throughout the Internet [19]. Because of its very fast scan rate, Slammer infected more than 90% of vulnerable computers on the Internet within 10 minutes [19]. In addition, the large amount of scan packets sent out by Slammer caused a global-scale denial of service attack to the Internet. Many networks across Asia, Europe, and America were effectively shut down for several hours [6]....
View Full Document

This note was uploaded on 08/25/2011 for the course EEL 5937 taught by Professor Staff during the Spring '08 term at University of Central Florida.

Page1 / 10

monitoringEarlyWarning - Monitoring and Early Warning for...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online