DoWitcher: Effective worm detection and containment in the internet core

S. Ranjan, S. Shah, A. Nucci, M. Munafò, R. Cruz, Shanmugavelayutham Muthukrishnan

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a Longest Common Subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.

    Original languageEnglish (US)
    Title of host publicationProceedings - IEEE INFOCOM 2007
    Subtitle of host publication26th IEEE International Conference on Computer Communications
    Pages2541-2545
    Number of pages5
    DOIs
    StatePublished - Sep 4 2007
    EventIEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications - Anchorage, AK, United States
    Duration: May 6 2007May 12 2007

    Publication series

    NameProceedings - IEEE INFOCOM
    ISSN (Print)0743-166X

    Other

    OtherIEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications
    CountryUnited States
    CityAnchorage, AK
    Period5/6/075/12/07

    Fingerprint

    Masks
    Internet
    Electric network analyzers
    Polymorphism
    Processing
    Industry

    ASJC Scopus subject areas

    • Computer Science(all)
    • Electrical and Electronic Engineering

    Cite this

    Ranjan, S., Shah, S., Nucci, A., Munafò, M., Cruz, R., & Muthukrishnan, S. (2007). DoWitcher: Effective worm detection and containment in the internet core. In Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications (pp. 2541-2545). [4215899] (Proceedings - IEEE INFOCOM). https://doi.org/10.1109/INFCOM.2007.317

    DoWitcher : Effective worm detection and containment in the internet core. / Ranjan, S.; Shah, S.; Nucci, A.; Munafò, M.; Cruz, R.; Muthukrishnan, Shanmugavelayutham.

    Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications. 2007. p. 2541-2545 4215899 (Proceedings - IEEE INFOCOM).

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Ranjan, S, Shah, S, Nucci, A, Munafò, M, Cruz, R & Muthukrishnan, S 2007, DoWitcher: Effective worm detection and containment in the internet core. in Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications., 4215899, Proceedings - IEEE INFOCOM, pp. 2541-2545, IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications, Anchorage, AK, United States, 5/6/07. https://doi.org/10.1109/INFCOM.2007.317
    Ranjan S, Shah S, Nucci A, Munafò M, Cruz R, Muthukrishnan S. DoWitcher: Effective worm detection and containment in the internet core. In Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications. 2007. p. 2541-2545. 4215899. (Proceedings - IEEE INFOCOM). https://doi.org/10.1109/INFCOM.2007.317
    Ranjan, S. ; Shah, S. ; Nucci, A. ; Munafò, M. ; Cruz, R. ; Muthukrishnan, Shanmugavelayutham. / DoWitcher : Effective worm detection and containment in the internet core. Proceedings - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications. 2007. pp. 2541-2545 (Proceedings - IEEE INFOCOM).
    @inproceedings{e04c1682bb974e31acab26901c75d77e,
    title = "DoWitcher: Effective worm detection and containment in the internet core",
    abstract = "Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a Longest Common Subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.",
    author = "S. Ranjan and S. Shah and A. Nucci and M. Munaf{\`o} and R. Cruz and Shanmugavelayutham Muthukrishnan",
    year = "2007",
    month = "9",
    day = "4",
    doi = "10.1109/INFCOM.2007.317",
    language = "English (US)",
    isbn = "1424410479",
    series = "Proceedings - IEEE INFOCOM",
    pages = "2541--2545",
    booktitle = "Proceedings - IEEE INFOCOM 2007",

    }

    TY - GEN

    T1 - DoWitcher

    T2 - Effective worm detection and containment in the internet core

    AU - Ranjan, S.

    AU - Shah, S.

    AU - Nucci, A.

    AU - Munafò, M.

    AU - Cruz, R.

    AU - Muthukrishnan, Shanmugavelayutham

    PY - 2007/9/4

    Y1 - 2007/9/4

    N2 - Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a Longest Common Subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.

    AB - Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a Longest Common Subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.

    UR - http://www.scopus.com/inward/record.url?scp=34548301939&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=34548301939&partnerID=8YFLogxK

    U2 - 10.1109/INFCOM.2007.317

    DO - 10.1109/INFCOM.2007.317

    M3 - Conference contribution

    AN - SCOPUS:34548301939

    SN - 1424410479

    SN - 9781424410477

    T3 - Proceedings - IEEE INFOCOM

    SP - 2541

    EP - 2545

    BT - Proceedings - IEEE INFOCOM 2007

    ER -