Detecting unknown worms using randomness check

Hyundo Park; Heejo Lee

doi:10.1007/11919568_77

Detecting unknown worms using randomness check

Hyundo Park, Heejo Lee

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

2 Citations (Scopus)

Abstract

From the appearance of CodeRed and SQL Slammer worm, we have learned that the early detection of worm epidemics is important to reduce the damage caused by their outbreak. One prominent characteristic of Internet worms is to choose next targets randomly by using a random generator. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses. Our mechanism generates the traffic matrix and checks the value of rank of it to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high value of rank, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the traffic matrix. From the experiments on various environments, we show that the ADUR mechanism effectively detects the spread of new worms in an early stage, even when there is only one host infected in a monitoring network.

Original language	English
Title of host publication	Information Networking
Subtitle of host publication	Advances in Data Communications and Wireless Networks - International Conference, ICOIN 2006. Revised Selected Papers
Publisher	Springer Verlag
Pages	775-784
Number of pages	10
ISBN (Print)	3540485635, 9783540485636
DOIs	https://doi.org/10.1007/11919568_77
Publication status	Published - 2006
Event	International Conference on Information Networking, ICOIN 2006 - Sendai, Japan Duration: 2006 Jan 16 → 2006 Jan 19

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	3961 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	International Conference on Information Networking, ICOIN 2006
Country/Territory	Japan
City	Sendai
Period	06/1/16 → 06/1/19

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/11919568_77

Cite this

Park, H., & Lee, H. (2006). Detecting unknown worms using randomness check. In Information Networking: Advances in Data Communications and Wireless Networks - International Conference, ICOIN 2006. Revised Selected Papers (pp. 775-784). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3961 LNCS). Springer Verlag. https://doi.org/10.1007/11919568_77

Detecting unknown worms using randomness check. / Park, Hyundo; Lee, Heejo.
Information Networking: Advances in Data Communications and Wireless Networks - International Conference, ICOIN 2006. Revised Selected Papers. Springer Verlag, 2006. p. 775-784 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3961 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Park, H & Lee, H 2006, Detecting unknown worms using randomness check. in Information Networking: Advances in Data Communications and Wireless Networks - International Conference, ICOIN 2006. Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3961 LNCS, Springer Verlag, pp. 775-784, International Conference on Information Networking, ICOIN 2006, Sendai, Japan, 06/1/16. https://doi.org/10.1007/11919568_77

Park H, Lee H. Detecting unknown worms using randomness check. In Information Networking: Advances in Data Communications and Wireless Networks - International Conference, ICOIN 2006. Revised Selected Papers. Springer Verlag. 2006. p. 775-784. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/11919568_77

Park, Hyundo ; Lee, Heejo. / Detecting unknown worms using randomness check. Information Networking: Advances in Data Communications and Wireless Networks - International Conference, ICOIN 2006. Revised Selected Papers. Springer Verlag, 2006. pp. 775-784 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{9cbd091edf584fe58fcd035af6598169,

title = "Detecting unknown worms using randomness check",

abstract = "From the appearance of CodeRed and SQL Slammer worm, we have learned that the early detection of worm epidemics is important to reduce the damage caused by their outbreak. One prominent characteristic of Internet worms is to choose next targets randomly by using a random generator. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses. Our mechanism generates the traffic matrix and checks the value of rank of it to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high value of rank, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the traffic matrix. From the experiments on various environments, we show that the ADUR mechanism effectively detects the spread of new worms in an early stage, even when there is only one host infected in a monitoring network.",

author = "Hyundo Park and Heejo Lee",

year = "2006",

doi = "10.1007/11919568_77",

language = "English",

isbn = "3540485635",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "775--784",

booktitle = "Information Networking",

note = "International Conference on Information Networking, ICOIN 2006 ; Conference date: 16-01-2006 Through 19-01-2006",

}

TY - GEN

T1 - Detecting unknown worms using randomness check

AU - Park, Hyundo

AU - Lee, Heejo

PY - 2006

Y1 - 2006

N2 - From the appearance of CodeRed and SQL Slammer worm, we have learned that the early detection of worm epidemics is important to reduce the damage caused by their outbreak. One prominent characteristic of Internet worms is to choose next targets randomly by using a random generator. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses. Our mechanism generates the traffic matrix and checks the value of rank of it to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high value of rank, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the traffic matrix. From the experiments on various environments, we show that the ADUR mechanism effectively detects the spread of new worms in an early stage, even when there is only one host infected in a monitoring network.

AB - From the appearance of CodeRed and SQL Slammer worm, we have learned that the early detection of worm epidemics is important to reduce the damage caused by their outbreak. One prominent characteristic of Internet worms is to choose next targets randomly by using a random generator. In this paper, we propose a new worm detection mechanism by checking the random distribution of destination addresses. Our mechanism generates the traffic matrix and checks the value of rank of it to detect the spreading of Internet worms. From the fact that a random binary matrix holds a high value of rank, ADUR (Anomaly Detection Using Randomness check) is proposed for detecting unknown worms based on the rank of the traffic matrix. From the experiments on various environments, we show that the ADUR mechanism effectively detects the spread of new worms in an early stage, even when there is only one host infected in a monitoring network.

UR - http://www.scopus.com/inward/record.url?scp=33845520684&partnerID=8YFLogxK

U2 - 10.1007/11919568_77

DO - 10.1007/11919568_77

M3 - Conference contribution

AN - SCOPUS:33845520684

SN - 3540485635

SN - 9783540485636

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 775

EP - 784

BT - Information Networking

PB - Springer Verlag

T2 - International Conference on Information Networking, ICOIN 2006

Y2 - 16 January 2006 through 19 January 2006

ER -

Detecting unknown worms using randomness check

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this