Worm origin identification using random moonwalks

Author

Xie, Yinglian ; Sekar, Vyas ; Maltz, David A. ; Reiter, Michael K. ; Zhang, Hui

Author_Institution

Carnegie Mellon Univ., Pittsburgh, PA, USA

fYear

2005

fDate

8-11 May 2005

Firstpage

242

Lastpage

256

Abstract

We propose a novel technique that can determine both the host responsible for originating a propagating worm attack and the set of attack flows that make up the initial stages of the attack tree via which the worm infected successive generations of victims. We argue that knowledge of both is important for combating worms: knowledge of the origin supports law enforcement, and knowledge of the causal flows that advance the attack supports diagnosis of how network defenses were breached. Our technique exploits the "wide tree" shape of a worm propagation emanating from the source by performing random "moonwalks" backward in time along paths of flows. Correlating the repeated walks reveals the initial causal flows, thereby aiding in identifying the source. Using analysis, simulation, and experiments with real world traces, we show how the technique works against both today\´s fast propagating worms and stealthy worms that attempt to hide their attack flows among background traffic.

Keywords

invasive software; randomised algorithms; tree data structures; attack flows; attack tree; background traffic; fast propagating worms; host identification; initial causal flows; law enforcement; network diagnosis; propagating worm attack; random moonwalks; repeated walks; stealthy worms; wide tree shape; worm origin identification; worm propagation; Analytical models; Computational modeling; Computer networks; Computer simulation; Computer worms; Forensics; Law enforcement; Shape; Telecommunication traffic; Traffic control;

fLanguage

English

Publisher

ieee

Conference_Titel

Security and Privacy, 2005 IEEE Symposium on

ISSN

1081-6011

Print_ISBN

0-7695-2339-0

Type

conf

DOI

10.1109/SP.2005.23

Filename

1425071