Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > publications : bib : networking : entries : collins07hitlist.xml
Bibliography Details
M. Collins and M. Reiter, "Hit-list worm detection and bot identification in large networks using protocol graphs", in RAID 2007, Sep 2007.
Hit-list worm detection and bot identification in large networks using protocol graphs
Authors: M. Collins
M. Reiter
Published: RAID, 2007
URL:http://www.springerlink.com/index/d4u6031rg2071787.pdf
Entry Dates: 2009-02-11
Abstract: We present a novel method for detecting hit-list worms using protocol graphs. In a protocol graph, a vertex represents a single IP address, and an edge represents communications between those addresses using a specific protocol (e.g., HTTP). We show that the protocol graphs of four diverse and representative protocols (HTTP, FTP, SMTP, and Oracle), as constructed from monitoring for fixed durations on a large intercontinental network, exhibit stable graph sizes and largest connected component sizes. Moreover, we demonstrate that worm propagations, even of a sophisticated hit-list variety in which the attacker has advance knowledge of his targets and always connects successfully, perturb these properties. We demonstrate that these properties can be monitored very efficiently even in very large networks, giving rise to a viable and novel approach for worm detection. We also demonstrate extensions by which the attacking hosts (bots) can be identified with high accuracy.
Results:
  • datasets: CISCO Netflow traffic summaries collected on a large ISP network; no payload;
  • using protocol graphs(in a protocal graph, a vertex represents a single IP addressl, and an edge represents communications between those addresses using a specific protocol.
  Last Modified: Wed Mar-27-2019 22:23:20 PDT
  Page URL: http://www.caida.org/publications/bib/networking/entries/collins07hitlist.xml