host behaviour based early detection of worm outbreaks in internet backbones

《host behaviour based early detection of worm outbreaks in internet backbones》由会员上传分享，免费在线阅读，更多相关内容在教育资源-天天文库。

1、HostBehaviourBasedEarlyDetectionofWormOutbreaksinInternetBackbonesThomasD¨ubendorfer†,BernhardPlattnerComputerEngineeringandNetworksLaboratory(TIK)SwissFederalInstituteofTechnology,Zurich{duebendorfer,plattner}@tik.ee.ethz.chAbstractBasedontheobservationthathosts

2、infectedbythesamewormexecutethesamecodeforscanningandtransferringWeproposeanovelnearreal-timemethodforearlyexploitandwormcode,weassumethatduringawormdetectionofwormoutbreaksinhigh-speedInternetback-outbreakthenetworkbehaviourofmanyhostswillsud-bones.Ourmethodattr

3、ibutesseveralbehaviouralproper-denlychangeinasimilarway.Inthispaper,weproposetiestoindividualhostslikeratioofoutgoingtoincominganovelnearreal-timemethodforearlydetectionofwormtraffic,responsivenessandnumberofconnections.Theseoutbreaksinhigh-speedInternetbackbones.

4、Byanalysingpropertiesareusedtogrouphostsintodistinctbehaviourbackbonetrafficatflow-level,wecanattributevariousbe-classes.Weuseflow-level(CiscoNetFlow)informationex-haviouralpropertiestohostslikeratioofoutgoingtoin-portedbytheborderroutersofaSwissInternetbackbonecomi

5、ngtraffic,responsivenessandnumberofconnections,provider(AS559/SWITCH).Bytrackingthecardinalityofwhichallarestronglyinfluencedbyawormoutbreak.eachclassovertimeandalarmingonfastincreasesandThesepropertiesareusedtogrouphostsintodistinctclassesothersignificantchanges,we

6、canearlyandreliablyde-accordingtotheircurrentbehaviour.Weshowthatbytrack-tectwormoutbreaks.Wesuccessfullyvalidatedourmethodingthecardinality∗oftheseclassesforsignificantchangeswitharchivedflow-leveltracesofrecentmajorInternete-overtime,wormoutbreakeventscanreliably

7、bedetectedmailbasedwormssuchasMyDoom.AandSobig.F,andandasetofpotentiallyinfectedhostscanbeidentified.fastspreadingnetworkwormslikeWittyandBlaster.OurTheoutlineofthispaperisasfollows:AfterasurveyofmethodisgenericinthesensethatitdoesnotrequireanyrelatedworkinSection

8、2andNetFlowtracesinSection3,previousknowledgeabouttheexploitsandscanningmethodwepresentinSection4ourhostbehaviourbasedwormde-usedbytheworms.Itcangiveasetofsusp