Title :
Worm origin identification using random moonwalks
Author :
Xie, Yinglian ; Sekar, Vyas ; Maltz, David A. ; Reiter, Michael K. ; Zhang, Hui
Author_Institution :
Carnegie Mellon Univ., Pittsburgh, PA, USA
Abstract :
We propose a novel technique that can determine both the host responsible for originating a propagating worm attack and the set of attack flows that make up the initial stages of the attack tree via which the worm infected successive generations of victims. We argue that knowledge of both is important for combating worms: knowledge of the origin supports law enforcement, and knowledge of the causal flows that advance the attack supports diagnosis of how network defenses were breached. Our technique exploits the "wide tree" shape of a worm propagation emanating from the source by performing random "moonwalks" backward in time along paths of flows. Correlating the repeated walks reveals the initial causal flows, thereby aiding in identifying the source. Using analysis, simulation, and experiments with real world traces, we show how the technique works against both today\´s fast propagating worms and stealthy worms that attempt to hide their attack flows among background traffic.
Keywords :
invasive software; randomised algorithms; tree data structures; attack flows; attack tree; background traffic; fast propagating worms; host identification; initial causal flows; law enforcement; network diagnosis; propagating worm attack; random moonwalks; repeated walks; stealthy worms; wide tree shape; worm origin identification; worm propagation; Analytical models; Computational modeling; Computer networks; Computer simulation; Computer worms; Forensics; Law enforcement; Shape; Telecommunication traffic; Traffic control;
Conference_Titel :
Security and Privacy, 2005 IEEE Symposium on
Print_ISBN :
0-7695-2339-0
