Worm Evolution Tracking via Timing Analysis
INTRODUCTION
Worm outbreaks are security events that occur with relatively low frequency, but when they do occur, they can have significant impact on daily network operations. This ever-present threat of severe network disruption has been the motivating factor behind most, if not all, research on practical strategies for worm detection and containment ( see [11, 16, 18, 20, 21] ). There is, however, one desirable aspect of research that falls under the general umbrella of worm mitigation that has received far less attention in the past, namely back-tracking the evolution of a worm outbreak. In fact, thus far there has been little progress in the design and analysis of effective strategies for discovering the sequence with which a worm infected its victims. Even for worms that exhibit uniform scanning behavior, uncovering this sequence is a daunting task, but one that provides invaluable information. For one, doing so has direct pragmatic implications as it allows network operators to pinpoint the initial set of infected machines, thereby gleaning potentially useful forensic evidence.
Unfortunately, to date there have been few proposals for retracing the steps of a worm infection. Xie et al. offered a randomized approach that traces the origin of a worm attack by performing a random walk over the hosts contact graph [23]. The graph is generated by collecting traffic traces containing the list of hosts that contacted other potential victims during the worm’s propagation. While this approach can provide a wealth of information about the worm’s evolution, most notably, the who-infected-whom tree and patient zero (i.e., the initial victim), it requires traffic traces on a global scale to reconstruct the evolution of a large scale event. A different approach was suggested more recently by Kumar et. al. [8] where the Witty worm [15] was reverse engineered to recover
the random scanning algorithm and corresponding initial seeds. Given knowledge of the target selection algorithm, the sequence of scans could be re-enacted to provide a detailed view of the worm’s evolution, and also provide insights into characteristics of the infected hosts. However, although the information required for this approach (i.e., the payload) can be recovered locally, the mechanism can not be easily generalized to other worms, since each instance will have to undergo the same, possibly arduous, task of reverse-engineering.
Download file here
[...] guide for electronics, automotive, software, internet and others everyday equipment. « Worm Evolution Tracking via Timing Analysis Oriental Salad [...]