Extracting worm-infected hosts using white list

Noriaki Kamiyama, Tatsuya Mori, Ryoichi Kawahara, Shigeaki Harada, Hideaki Yoshino

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.

Original languageEnglish
Title of host publicationProceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008
Pages68-75
Number of pages8
DOIs
Publication statusPublished - 2008
Externally publishedYes
Event2008 International Symposium on Applications and the Internet, SAINT 2008 - Turku
Duration: 2008 Jul 282008 Aug 1

Other

Other2008 International Symposium on Applications and the Internet, SAINT 2008
CityTurku
Period08/7/2808/8/1

Fingerprint

Servers
Internet
Sampling
Scanning

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Kamiyama, N., Mori, T., Kawahara, R., Harada, S., & Yoshino, H. (2008). Extracting worm-infected hosts using white list. In Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008 (pp. 68-75). [4604545] https://doi.org/10.1109/SAINT.2008.77

Extracting worm-infected hosts using white list. / Kamiyama, Noriaki; Mori, Tatsuya; Kawahara, Ryoichi; Harada, Shigeaki; Yoshino, Hideaki.

Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008. 2008. p. 68-75 4604545.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kamiyama, N, Mori, T, Kawahara, R, Harada, S & Yoshino, H 2008, Extracting worm-infected hosts using white list. in Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008., 4604545, pp. 68-75, 2008 International Symposium on Applications and the Internet, SAINT 2008, Turku, 08/7/28. https://doi.org/10.1109/SAINT.2008.77
Kamiyama N, Mori T, Kawahara R, Harada S, Yoshino H. Extracting worm-infected hosts using white list. In Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008. 2008. p. 68-75. 4604545 https://doi.org/10.1109/SAINT.2008.77
Kamiyama, Noriaki ; Mori, Tatsuya ; Kawahara, Ryoichi ; Harada, Shigeaki ; Yoshino, Hideaki. / Extracting worm-infected hosts using white list. Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008. 2008. pp. 68-75
@inproceedings{4a6134d902a448caa9fc7a1e1aca29cc,
title = "Extracting worm-infected hosts using white list",
abstract = "In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.",
author = "Noriaki Kamiyama and Tatsuya Mori and Ryoichi Kawahara and Shigeaki Harada and Hideaki Yoshino",
year = "2008",
doi = "10.1109/SAINT.2008.77",
language = "English",
isbn = "9780769532974",
pages = "68--75",
booktitle = "Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008",

}

TY - GEN

T1 - Extracting worm-infected hosts using white list

AU - Kamiyama, Noriaki

AU - Mori, Tatsuya

AU - Kawahara, Ryoichi

AU - Harada, Shigeaki

AU - Yoshino, Hideaki

PY - 2008

Y1 - 2008

N2 - In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.

AB - In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.

UR - http://www.scopus.com/inward/record.url?scp=53849099995&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=53849099995&partnerID=8YFLogxK

U2 - 10.1109/SAINT.2008.77

DO - 10.1109/SAINT.2008.77

M3 - Conference contribution

AN - SCOPUS:53849099995

SN - 9780769532974

SP - 68

EP - 75

BT - Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008

ER -