TY - GEN
T1 - Distributed early worm detection based on payload histograms
AU - Waizumi, Yuji
AU - Tsuji, Masashi
AU - Tsunoda, Hiroshi
AU - Ansari, Nirwan
AU - Nemoto, Yoshiaki
PY - 2007
Y1 - 2007
N2 - Epidemic worms has become a social problem owing to their potency in paralyzing the Internet, thus affecting our way of life. Recent researches have pointed out that epidemic worms can propagate similar payloads rapidly. It was shown that it is possible to evaluate similarities between these payloads in terms of a 256-dimensional vector based on histograms of the appearance frequencies of 256 character codes. This observation has also been confirmed by our earlier works. However, this method, if applied to flows from only one network, which means a network managed by an independent organization, is prone to a high rate of false positives in cases such as when normal emails are sent through a mailing list. To overcome this problem, we propose a new scheme which checks for any similarity between flows detected at several IDSs in a distributed environment. The proposed scheme is based on the fact that normal payloads propagating from different networks are different, whereas in the case of epidemic worms payloads even propagated through different networks but generated by the same worm exhibit similarity. We have demonstrated the effectiveness of the proposed scheme through extensive experiments using real network traffic that contains worms.
AB - Epidemic worms has become a social problem owing to their potency in paralyzing the Internet, thus affecting our way of life. Recent researches have pointed out that epidemic worms can propagate similar payloads rapidly. It was shown that it is possible to evaluate similarities between these payloads in terms of a 256-dimensional vector based on histograms of the appearance frequencies of 256 character codes. This observation has also been confirmed by our earlier works. However, this method, if applied to flows from only one network, which means a network managed by an independent organization, is prone to a high rate of false positives in cases such as when normal emails are sent through a mailing list. To overcome this problem, we propose a new scheme which checks for any similarity between flows detected at several IDSs in a distributed environment. The proposed scheme is based on the fact that normal payloads propagating from different networks are different, whereas in the case of epidemic worms payloads even propagated through different networks but generated by the same worm exhibit similarity. We have demonstrated the effectiveness of the proposed scheme through extensive experiments using real network traffic that contains worms.
KW - Clustering
KW - Distributed IDS
KW - Flow
KW - Similarity of payload
UR - http://www.scopus.com/inward/record.url?scp=38549160738&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=38549160738&partnerID=8YFLogxK
U2 - 10.1109/ICC.2007.236
DO - 10.1109/ICC.2007.236
M3 - Conference contribution
AN - SCOPUS:38549160738
SN - 1424403537
SN - 9781424403530
T3 - IEEE International Conference on Communications
SP - 1404
EP - 1408
BT - 2007 IEEE International Conference on Communications, ICC'07
T2 - 2007 IEEE International Conference on Communications, ICC'07
Y2 - 24 June 2007 through 28 June 2007
ER -