TY - GEN
T1 - Early containment of worms using dummy addresses and connection trace back
AU - Inaba, Taro
AU - Kawaguchi, Nobutaka
AU - Tahara, Shinya
AU - Shigeno, Hiroshi
AU - Okada, Ken Ichi
PY - 2007/12/1
Y1 - 2007/12/1
N2 - Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.
AB - Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.
UR - http://www.scopus.com/inward/record.url?scp=48049123693&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=48049123693&partnerID=8YFLogxK
U2 - 10.1109/ICPADS.2007.4447717
DO - 10.1109/ICPADS.2007.4447717
M3 - Conference contribution
AN - SCOPUS:48049123693
SN - 9781424418909
T3 - Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS
BT - The 13th International Conference on Parallel and Distributed Systems, ICPADS
T2 - 13th International Conference on Parallel and Distributed Systems, ICPADS
Y2 - 5 December 2007 through 7 December 2007
ER -