TY - GEN
T1 - Extracting worm-infected hosts using white list
AU - Kamiyama, Noriaki
AU - Mori, Tatsuya
AU - Kawahara, Ryoichi
AU - Harada, Shigeaki
AU - Yoshino, Hideaki
PY - 2008
Y1 - 2008
N2 - In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.
AB - In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.
UR - http://www.scopus.com/inward/record.url?scp=53849099995&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=53849099995&partnerID=8YFLogxK
U2 - 10.1109/SAINT.2008.77
DO - 10.1109/SAINT.2008.77
M3 - Conference contribution
AN - SCOPUS:53849099995
SN - 9780769532974
T3 - Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008
SP - 68
EP - 75
BT - Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008
T2 - 2008 International Symposium on Applications and the Internet, SAINT 2008
Y2 - 28 July 2008 through 1 August 2008
ER -