TY - GEN
T1 - DoWitcher
T2 - IEEE INFOCOM 2007: 26th IEEE International Conference on Computer Communications
AU - Ranjan, S.
AU - Shah, S.
AU - Nucci, A.
AU - Munafò, M.
AU - Cruz, R.
AU - Muthukrishnan, S.
PY - 2007
Y1 - 2007
N2 - Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a Longest Common Subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.
AB - Enterprise networks are increasingly offloading the responsibility for worm detection and containment to the carrier networks. However, current approaches to the zero-day worm detection problem such as those based on content similarity of packet payloads are not scalable to the carrier link speeds (OC-48 and up-wards). In this paper, we introduce a new system, namely DoWitcher, which in contrast to previous approaches is scalable as well as able to detect the stealthiest worms that employ low-propagation rates or polymorphisms to evade detection. DoWitcher uses an incremental approach toward worm detection: First, it examines the layer-4 traffic features to discern the presence of a worm anomaly; Next, it determines a flow-filter mask that can be applied to isolate the suspect worm flows and; Finally, it enables full-packet capture of only those flows that match the mask, which are then processed by a Longest Common Subsequence algorithm to extract the worm content signature. Via a proof-of-concept implementation on a commercially available network analyzer processing raw packets from an OC-48 link, we demonstrate the capability of DoWitcher to detect low-rate worms and extract signatures for even the polymorphic worms.
UR - http://www.scopus.com/inward/record.url?scp=34548301939&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34548301939&partnerID=8YFLogxK
U2 - 10.1109/INFCOM.2007.317
DO - 10.1109/INFCOM.2007.317
M3 - Conference contribution
AN - SCOPUS:34548301939
SN - 1424410479
SN - 9781424410477
T3 - Proceedings - IEEE INFOCOM
SP - 2541
EP - 2545
BT - Proceedings - IEEE INFOCOM 2007
Y2 - 6 May 2007 through 12 May 2007
ER -