Abstract
With unprecedented speed, virulence, and sophistication, self-propagating worms remain as one of the most severe threats to information systems and Internet in general. In order to mitigate the threat, efficient mechanisms are needed to accurately profile and detect the worms before or during their outbreaks. Particularly, deriving a worm’s unique signatures, or fingerprints, is of the first priority to achieve this goal. One of the most popular approaches is to use content-based signatures, which characterize a worm by extracting its unique information payload. In practice, such content-based signatures, unfortunately, suffer from numerous disadvantages, such as vulnerable to content mutation attacks or not applicable for polymorphic worms. In this paper, we propose a new behavioral footprinting (BF) approach that nicely complements the state-of-the-art content-based signature approaches and allows users to detect and profile self-propagating worms from the unique worm behavioral perspective. More specifically, our behavioral footprinting method uniquely captures a worm’s dynamic infection sequences (e.g., probing, exploitation, and replication) by modeling each interaction step as a behavior phenotype and denoting a complete infection process as a chained sequence. We argue that a self-propagating worm’s inherent behaviors or infection patterns can be detected and characterized by using sequence alignment tools, where patterns shared by the infection sequences will imply the behavioral footprints of the worm. A systematic platform called vEye has been built to validate the proposed design with either “live” or historical worms, where a number of real-world infection sequences are used to build worm behavioral footprints. Experimental comparisons with existing content-based fingerprints will demonstrate the uniqueness and effectiveness of the proposed behavior footprints in self-propagating worm detection and profiling.
Similar content being viewed by others
References
Agobot Backdoor. http://www.viruslist.com/en/viruses/encyclopedia?virusid=42101
Arbor Networks: PeakFlow X. http://www.arbornetworks.com/products_x.php
Bailey M, Cooke E, Jahanian F, Nazario J, Watson D (2005) The Internet motion sensor: a distributed blackhole monitoring system. In: Proceedings of the 12th network and distributed system security symposium (NDSS), San Diego, CA, February 2005
Bailey M, Cooke E, Watson D, Jahanian F, Provos N (2004) A hybrid honeypot architecture for scalable network monitoring. CSE Technical Report CSE-TR-499-04. University of Michigan, Ann Arbor
Barbara D, Jajodia S (2005) Applications of data mining in computer sceurity. Springer, New York
Bo C, Fang B-X, Yun X-C (2005) A new approach for early detection of internet worms based on connection degree. In: Proceedings of 2005 international conference on machine learning and cybernetics, August 2005
Brodley CE, Chan P (2003) Tutorial: Data mining for computer security. In: Proceedings of the ACM SIGKDD Conference, August 2003
Dagon D, Qin X, Gu G, Lee W, Grizzard J, Levine J, Owen H (2004) HoneyStat: local worm detection using honeypots. In: Proceedings of the 7th international symposium on recent advances in intrusion detection (RAID 2004), Sophia Antipolis, French Riviera, France, September 2004
Dike J User mode Linux. http://user-mode-linux.sourceforge.net
Durbin R, Eddy S, Krogh A (1998) Biological sequence analysis. Cambridge University Press, London. ISBN: 0521629713, 1998
Ellis DR, Aiken JG, Attwood KS, Tenaglia SD (2004) A behavioral approach to worm detection. In: Proceedings of the 2004 ACM workshop on Rapid malcode, October 2004
Estan C, Savage S, Varghese G (2003) Automatically inferring patterns of resource consumption in network traffic. In: Proceedings of the ACM SIGCOMM conference, Karlsruhe, Germany, August 2003
Gu G, Sharif M, Qin X, Dagon D, Lee W, Riley G (2004) Worm detection, early warning and response based on local victim information. In: Proceedings of the 20th annual computer security applications conference (ACSAC’04), December 2004
Jiang X, Xu D (2004) Collapsar: a VM-based architecture for network attack detention center. In: Proceedings of the 13th USENIX security symposium, August 2004
Jiang X, Xu D, Wang HJ, Spafford EH (2005) Virtual playgrounds for worm behavior investigation. In: Proceedings of the 8th RAID, Seattle, USA, September 2005
Jung J, Paxson V, Berger AW, Balakrishnan H (2004) Fast portscan detection using sequential hypothesis testing. In: Proceedings of IEEE symposium on security and privacy, Oakland, CA, May 2004
Kephart JO, Arnold WC (1994) Automatic extraction of computer virus signatures. In: Proceedings of the 4th international virus bulletin conference, September 1994
Kim HA, Karp B (2004) Autograph: toward automated, distributed worm signature detection. In: Proceedings of the 13th usenix security symposium (Security 2004), San Diego, CA, August 2004
Kolesnikov O, Lee W Advanced polymorphic worms: evading IDS by blending in with normal traffic. http://www.cc.gatech.edu/~ok/w/ok_pw.pdf
Kreibich C, Crowcroft J (2004) Honeycomb: creating intrusion detection signatures using honeypots. In: ACM SIGCOMM computer communication review
Lee W, Stolfo SJ, Mok K (1999) A data mining framework for building intrusion detection models. In: Proceedings of the IEEE symposium on security and privacy, 1999
Linux Lion Worms. http://www.whitehats.com/library/worms/lion. Accessed 2001
MSBlaster Worms. CERT advisory CA-2003-20 W32/Blaster worms. http://www.cert.org/advisories/CA-2003-20.htm. Accessed August 2003
Moore D, Paxson V, Savage S, Shannon C, Staniford S, Weaver N (2003) The spread of the Sapphire/Slammer worm. IEEE Secur Priv 1(4): 33–
Moore D, Shannon C, Brown J (2002) Code-Red: a case study on the spread and victims of an internet worm. In: Proceedings of the ACM internet measurement workshop, November 2002
Moore D, Voelker G, Savage S (2001) Inferring Internet denial-of-service activity. In: Proceedings of the 10th USENIX security symposium, August 2001
Moore D (2002) Network telescopes: observing small or distant security events. In: Proceedings of the 11th USENIX security symposium, August 2002
Mukkamala S, Janoski G, Sung A (2002) Intrusion detection using neural networks and support vector machines. In: Proceedings of IEEE international joint conference on neural networks, May 2002
Newsome J, Karp B, Song D (2005) Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the 2005 IEEE symposium on security and privacy, May 2005
Newsome J, Karp B, Song D (2006) Paragraph: thwarting signature learning by training maliciously. In: Proceedings of the 9th international symposium on recent advances in intrusion detection (RAID 2006), Hamburg, Germany, September 2006
Nyhan WL (1972) Behavioral phenotypes in organic genetic disease. Pediatr Res 6: 1–
Otey M, Parthasarathy S, Ghoting A, Li G, Narravula S, Panda D (2003) Towards NIC-based intrusion detection. In: Proceedings of the 2004 ACM KDD conference, 2003
Pei J, Upadhyaya S (2004) Tutorial: data mining for intrusion detection, techniques, applications, and systems. In: Proceedings of the IEEE international conference on data engineering, March 2004
Perdisci R, Dagon D, Lee W, Fogla P, Sharif M (2006) Misleading worm signature generators using deliberate noise injection. In: Proceedings of the 2006 IEEE symposium on security and privacy, May 2006
Perriot F, Szor P An analysis of the Slapper worm exploit. Symantec White Paper. http://securityresponse.symantec.com/avcenter/reference/analysis.slapper.worm.pdf
Provos N (2004) A virtual honeypot framework. In: Proceedings of the 13th USENIX security symposium, August 2004
Rajab MA, Monrose F, Terzis A (2005) A behavioral approach to worm detection. In: Proceedings of the 2005 ACM workshop on rapid malcode, November 2005
Sekar R, Gupta A, Frullo J, Shanbhag T, Tiwari A, Yang H, Zhou S (2002) Specification-based anomaly detection: a new approach for detecting network intrusions. In: Proceedings of 9th ACM conference on computer and communications security, October 2002
Singh S, Estan C, Varghese G, Savage S (2004) Automated worm fingerprinting. In: Proceedings of the ACM/USENIX symposium on operating system design and implementation, San Francisco, CA, December 2004
Sommer R, Paxson V (2003) Enhancing byte-level network intrusion detection signatures with context. In: Proceedings of 9th ACM conference on computer and communications security, October 2003
Spitzner L (2003) Honeytokens: the other honeypot. http://www.securityfocus.com/infocus/171. Accessed July 2003
Sundararaj A, Dinda P (2004) Towards virtual networks for virtual machine grid computing. In: Proceedings of the third USENIX virtual machine technology symposium (VM 2004), August 2004
Sasser Worms. http://www.microsoft.com/security/incident/sasser.as. Accessed May 2004
Snort-inline. http://sourceforge.net/projects/snort-inline/
The DETER Project. http://www.isi.edu/deter/
The Honeynet Project. http://www.honeynet.org
Touch J (2000) Dynamic Internet overlay deployment and management Using the X-Bone. In: Procedings of IEEE ICNP 2000, November 2000
Venkataraman S, Blum A, Song D (2008) Limits of learning-based signature generation with adversaries. In: Proceedings of the 15th network and distributed security symposium (NDSS 2008), San Diego, February 2008
Vigna G, Robertson W, Balzarotti D (2004) Testing intrusion detection signatures using mutant exploits. In: Proceedings of the ACM conference on computer and communication security (ACM CCS) 21–30 Washington, DC, October 2004
Vrable M, Ma J, Chen J, Moore D, Vandekieft E, Snoeren AC, Voelker GM, Savage S (2005) Scalability, fidelity and containment in the potemkin virtual honeyfarm. In: Proceedings of the 20th ACM symposium on operating systems principles, October 2005
VMware. http://www.vmware.com/
Welchia Worm. http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.htm. Accessed August 2003
Wang HJ, Guo C, Simon DR, Zugenmaier A (2004) Shield: vulnerability-driven network filters for preventing known vulnerability exploits. SIGCOMM 2004, September 2004
Wang K, Stolfo SJ (2004) Anomalous payload-based network intrusion detection. In: Proceedings of the 7th international symposium on recent advances in intrusion detection (RAID 2004), Sophia Antipolis, French Riviera, France, September 2004
Whalley I, Arnold B, Chess D, Morar J, Segal A (2000) An environment for controlled worm replication and analysis (Internet-inna-Box). In: Proceedings of virus bulletin conference, September 2000
Yegneswaran V, Barford P, Jha S (2004) Global intrusion detection in the DOMINO overlay system. In: Proceedings of network and distributed security symposium (NDSS), San Diego, February 2004
Yegneswaran V, Barford P, Plonka D (2004) On the design and use of internet sinks for network abuse monitoring. In: Proceedings of 7th international symposium on recent advances in intrusion detection, September 2004
Zanero S, Savaresi SM (2004) Unsupervised learning techniques for an intrusion detection system. In: Proceedings of the 2004 ACM symposium on applied computing, March 2004
Zeltser L (2001) Reverse-Engineering Malware. http://www.zeltser.com/reverse-malware-paper
Zhu X, Wu X (2007) Mining complex patterns across sequences with gap requirements. In: Proceedings of the twentieth international joint conference on artificial intelligence, January 2007
Zou CC, Gong W, Towsley D (2002) Code red worm propagation modeling and analysis. In: Proceedings of 9th ACM conference on computer and communications security, October 2002
Author information
Authors and Affiliations
Corresponding author
Additional information
A preliminary version of this paper was published in the Proceedings of the 4th ACM Workshop on Recurring Malcode (WORM 2006), Fairfax, VA, 2006. This research has been supported by the National Science Foundation (NSF) under Grant No. CNS-0716376 and National Science Foundation of China (NSFC) under Grant No. 60674109.
Rights and permissions
About this article
Cite this article
Jiang, X., Zhu, X. vEye: behavioral footprinting for self-propagating worm detection and profiling. Knowl Inf Syst 18, 231–262 (2009). https://doi.org/10.1007/s10115-008-0137-3
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10115-008-0137-3