Worm Origin Identification Using Random Moonwalks

Short Description
worm origin without any a priori knowledge about the at- … as a potential solution for worm origin identification to-. gether with IP traceback. …

Website: www.cs.cmu.edu | Filesize: 396kb

Content
Worm Origin Identification Using Random Moonwalks
Yinglian Xie Vyas Sekar David A. Maltz Michael K. Reiter Hui Zhang
Carnegie Mellon University..
Abstract
We propose a novel technique that can determine both
the host responsible for originating a propagating worm
attack and the set of attack flows that make up the initial
stages of the attack tree via which the worm infected
successive generations of victims. We argue that knowledge
of both is important for combating worms: knowledge
of the origin supports law enforcement, and knowledge
of the causal flows that advance the attack supports diagnosis
of how network defenses were breached. Our technique
exploits the “wide tree” shape of a worm propagation
emanating from the source by performing random “moonwalks”
backward in time along paths of flows. Correlating
the repeated walks reveals the initial causal flows, thereby
aiding in identifying the source. Using analysis, simulation,
and experiments with real world traces, we show how
the technique works against both today’s fast propagating
worms and stealthy worms that attempt to hide their attack
flows among background traffic.
1 Introduction
In all propagating worms, epidemic spreading attacks, and
other types of attacks that utilize compromised computers to
launch attack…