Distributed early worm detection based on payload histograms

Yuji Waizumi, Masashi Tsuji, Hiroshi Tsunoda, Nirwan Ansari, Yoshiaki Nemoto

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Epidemic worms has become a social problem owing to their potency in paralyzing the Internet, thus affecting our way of life. Recent researches have pointed out that epidemic worms can propagate similar payloads rapidly. It was shown that it is possible to evaluate similarities between these payloads in terms of a 256-dimensional vector based on histograms of the appearance frequencies of 256 character codes. This observation has also been confirmed by our earlier works. However, this method, if applied to flows from only one network, which means a network managed by an independent organization, is prone to a high rate of false positives in cases such as when normal emails are sent through a mailing list. To overcome this problem, we propose a new scheme which checks for any similarity between flows detected at several IDSs in a distributed environment. The proposed scheme is based on the fact that normal payloads propagating from different networks are different, whereas in the case of epidemic worms payloads even propagated through different networks but generated by the same worm exhibit similarity. We have demonstrated the effectiveness of the proposed scheme through extensive experiments using real network traffic that contains worms.

Original languageEnglish
Title of host publication2007 IEEE International Conference on Communications, ICC'07
Pages1404-1408
Number of pages5
DOIs
Publication statusPublished - 2007 Dec 1
Event2007 IEEE International Conference on Communications, ICC'07 - Glasgow, Scotland, United Kingdom
Duration: 2007 Jun 242007 Jun 28

Publication series

NameIEEE International Conference on Communications
ISSN (Print)0536-1486

Other

Other2007 IEEE International Conference on Communications, ICC'07
CountryUnited Kingdom
CityGlasgow, Scotland
Period07/6/2407/6/28

Keywords

  • Clustering
  • Distributed IDS
  • Flow
  • Similarity of payload

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Fingerprint Dive into the research topics of 'Distributed early worm detection based on payload histograms'. Together they form a unique fingerprint.

  • Cite this

    Waizumi, Y., Tsuji, M., Tsunoda, H., Ansari, N., & Nemoto, Y. (2007). Distributed early worm detection based on payload histograms. In 2007 IEEE International Conference on Communications, ICC'07 (pp. 1404-1408). [4288907] (IEEE International Conference on Communications). https://doi.org/10.1109/ICC.2007.236