Extracting worm-infected hosts using white list

Noriaki Kamiyama, Tatsuya Mori, Ryoichi Kawahara, Shigeaki Harada, Hideaki Yoshino

研究成果: Conference contribution

1 被引用数 (Scopus)

抄録

In the Internet, the rapid spread of worms is a serious problem. In many cases, worm-infected hosts generate a huge amount of flows with small size to search for other target hosts by scanning. Therefore, we defined hosts generating many flows, i.e., more than or equal to the threshold during a measurement period, as superspreaders, and we proposed a method of identifying superspreaders by flow sampling. However, some legitimate hosts generating many flows, such as DNS servers, can also be superspreaders. Therefore, if we simply regulate all the identified superspreaders, e.g., limiting their flow generation rate or quarantining them, legitimate hosts identified as superspreaders are also regulated. Legitimate hosts generating many flows tend to be superspreaders in multiple continuous measurement periods. In this paper, we propose a method of extracting worm-infected hosts from identified superspreaders using a white list. We define two network statuses, a normal state and a worm-outbreak state. During the normal state, the IP addresses of identified superspreaders are inserted into the white list. During the worm outbreak state, worm-infected hosts are extracted from the identified superspreaders by comparing them with the host entries stored in the white list. Using an actual packet trace and a simulated abusive traffic, we demonstrate that many legitimate hosts are filtered from the identified superspreaders while suppressing the increase in incorrectly unextracted worm-infected hosts.

本文言語English
ホスト出版物のタイトルProceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008
ページ68-75
ページ数8
DOI
出版ステータスPublished - 2008 10 20
外部発表はい
イベント2008 International Symposium on Applications and the Internet, SAINT 2008 - Turku, Finland
継続期間: 2008 7 282008 8 1

出版物シリーズ

名前Proceedings - 2008 International Symposium on Applications and the Internet, SAINT 2008

Conference

Conference2008 International Symposium on Applications and the Internet, SAINT 2008
国/地域Finland
CityTurku
Period08/7/2808/8/1

ASJC Scopus subject areas

  • コンピュータ ネットワークおよび通信
  • コンピュータ サイエンスの応用

フィンガープリント

「Extracting worm-infected hosts using white list」の研究トピックを掘り下げます。これらがまとまってユニークなフィンガープリントを構成します。

引用スタイル