Early containment of worms using dummy addresses and connection trace back

Taro Inaba, Nobutaka Kawaguchi, Shinya Tahara, Hiroshi Shigeno, Ken Ichi Okada

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.

Original languageEnglish
Title of host publicationProceedings of the International Conference on Parallel and Distributed Systems - ICPADS
Volume1
DOIs
Publication statusPublished - 2007
Event13th International Conference on Parallel and Distributed Systems, ICPADS - Hsinchu, Taiwan, Province of China
Duration: 2007 Dec 52007 Dec 7

Other

Other13th International Conference on Parallel and Distributed Systems, ICPADS
CountryTaiwan, Province of China
CityHsinchu
Period07/12/507/12/7

Fingerprint

Scanning
Computer simulation
Industry

ASJC Scopus subject areas

  • Engineering(all)

Cite this

Inaba, T., Kawaguchi, N., Tahara, S., Shigeno, H., & Okada, K. I. (2007). Early containment of worms using dummy addresses and connection trace back. In Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS (Vol. 1). [4447717] https://doi.org/10.1109/ICPADS.2007.4447717

Early containment of worms using dummy addresses and connection trace back. / Inaba, Taro; Kawaguchi, Nobutaka; Tahara, Shinya; Shigeno, Hiroshi; Okada, Ken Ichi.

Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS. Vol. 1 2007. 4447717.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Inaba, T, Kawaguchi, N, Tahara, S, Shigeno, H & Okada, KI 2007, Early containment of worms using dummy addresses and connection trace back. in Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS. vol. 1, 4447717, 13th International Conference on Parallel and Distributed Systems, ICPADS, Hsinchu, Taiwan, Province of China, 07/12/5. https://doi.org/10.1109/ICPADS.2007.4447717
Inaba T, Kawaguchi N, Tahara S, Shigeno H, Okada KI. Early containment of worms using dummy addresses and connection trace back. In Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS. Vol. 1. 2007. 4447717 https://doi.org/10.1109/ICPADS.2007.4447717
Inaba, Taro ; Kawaguchi, Nobutaka ; Tahara, Shinya ; Shigeno, Hiroshi ; Okada, Ken Ichi. / Early containment of worms using dummy addresses and connection trace back. Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS. Vol. 1 2007.
@inproceedings{bb0dee211e8449ae8bd452f63214fbd6,
title = "Early containment of worms using dummy addresses and connection trace back",
abstract = "Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1{\%} infected hosts and less than 5{\%} removed hosts.",
author = "Taro Inaba and Nobutaka Kawaguchi and Shinya Tahara and Hiroshi Shigeno and Okada, {Ken Ichi}",
year = "2007",
doi = "10.1109/ICPADS.2007.4447717",
language = "English",
isbn = "9781424418909",
volume = "1",
booktitle = "Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS",

}

TY - GEN

T1 - Early containment of worms using dummy addresses and connection trace back

AU - Inaba, Taro

AU - Kawaguchi, Nobutaka

AU - Tahara, Shinya

AU - Shigeno, Hiroshi

AU - Okada, Ken Ichi

PY - 2007

Y1 - 2007

N2 - Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.

AB - Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.

UR - http://www.scopus.com/inward/record.url?scp=48049123693&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=48049123693&partnerID=8YFLogxK

U2 - 10.1109/ICPADS.2007.4447717

DO - 10.1109/ICPADS.2007.4447717

M3 - Conference contribution

AN - SCOPUS:48049123693

SN - 9781424418909

VL - 1

BT - Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS

ER -