« Active Worm Detection using ICMP Messages | Main | Flow-based Worm Detection »
Worm Origin Identification Using Random Walks
We propose a novel technique for determining the origin of a quickly propagating worm or the worm’s entry point to an intranet, for law enforcement or diagnostic purposes. Our technique rests upon an architecture in which network routers or end hosts record flow records and make them available for querying. Querying these records, our search then walks backward randomly along paths of flows. Due to the “wide tree” shape of a worm propagation emanating from the source, those edges near the top of the tree emerge as edges more frequently traversed in random walks, thereby aiding in identifying the source. We detail the effectiveness of this approach using both analysis and simulation, and argue the feasibility of the architecture needed to implement it.
Source: Worm Origin Identification Using Random Walks, Yinglian Xie Vyas Sekar, David A. Maltz, Michael K. Reiter, and Hui Zhang.
An interesting paper, and one of the more interesting methods I've seen in a long time for worm host detetcion.
December 26, 2004 in papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345595b269e200d834799d7569e2
Listed below are links to weblogs that reference Worm Origin Identification Using Random Walks:
Comments
A newer version of this paper is available as http://www.cs.cmu.edu/~dmaltz/papers/xie_oakland05_random_moonwalk.pdf
We evaluate the algorithm against both fast and slow worms, and we have a (cool) new name for the algorith --- the random moonwalk.
Posted by: Dave Maltz | Mar 8, 2005 8:35:27 PM
The comments to this entry are closed.
