Worm Evolution Tracking via Timing Analysis

Short Description
namely back-tracking the evolution of a worm outbreak. In fact, … the infection evolution from the history of worm scans seen at a. network telescope [9]. …

Website: www1.cs.columbia.edu | Filesize: 501kb

Content
Worm Evolution Tracking via Timing Analysis
Moheeb Abu Rajab Fabian Monrose Andreas Terzis
Computer Science Department
Johns Hopkins University
{moheeb,fabian,terzis}@cs.jhu.edu
ABSTRACT
We present a technique to infer a worm’s infection sequence from
traffic traces collected at a network telescope. We analyze the fidelity
of the infection evolution as inferred by our technique, and
explore its effectiveness under varying constraints including the
scanning rate of the worm, the size of the vulnerable population,
and the size of the telescope itself. Moreover, we provide guidance
regarding the point at which our method’s accuracy diminishes beyond
practical value. As we show empirically, this point is reached
well after a few hundred initial infected hosts (possibly including
“patient zero”) has been reliably identified with more than 80% accuracy.
We generalize our mechanism by exploiting the change in
the pattern of inter-arrival times exhibited during the early stages
of such an outbreak to detect the presence and approximate size of
the hit-list. Our mechanism is resilient to varying parameters like
the worm scanning rate and the size of the vulnerable population,
and can provide significant insights into the characteristics of the
hit-list even under…