Early containment of worms using dummy addresses and connection trace back

Taro Inaba; Nobutaka Kawaguchi; Shinya Tahara; Hiroshi Shigeno; Ken Ichi Okada

doi:10.1109/ICPADS.2007.4447717

Early containment of worms using dummy addresses and connection trace back

Taro Inaba, Nobutaka Kawaguchi, Shinya Tahara, Hiroshi Shigeno, Ken Ichi Okada

Department of Information and Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Citation (Scopus)

Abstract

Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.

Original language	English
Title of host publication	The 13th International Conference on Parallel and Distributed Systems, ICPADS
DOIs	https://doi.org/10.1109/ICPADS.2007.4447717
Publication status	Published - 2007 Dec 1
Event	13th International Conference on Parallel and Distributed Systems, ICPADS - Hsinchu, Taiwan, Province of China Duration: 2007 Dec 5 → 2007 Dec 7

Publication series

Name	Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS
Volume	1
ISSN (Print)	1521-9097

Other

Other	13th International Conference on Parallel and Distributed Systems, ICPADS
Country/Territory	Taiwan, Province of China
City	Hsinchu
Period	07/12/5 → 07/12/7

ASJC Scopus subject areas

Hardware and Architecture

Access to Document

10.1109/ICPADS.2007.4447717

Cite this

Inaba, T., Kawaguchi, N., Tahara, S., Shigeno, H., & Okada, K. I. (2007). Early containment of worms using dummy addresses and connection trace back. In The 13th International Conference on Parallel and Distributed Systems, ICPADS [4447717] (Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS; Vol. 1). https://doi.org/10.1109/ICPADS.2007.4447717

Early containment of worms using dummy addresses and connection trace back. / Inaba, Taro; Kawaguchi, Nobutaka; Tahara, Shinya et al.

The 13th International Conference on Parallel and Distributed Systems, ICPADS. 2007. 4447717 (Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS; Vol. 1).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Inaba, T, Kawaguchi, N, Tahara, S, Shigeno, H & Okada, KI 2007, Early containment of worms using dummy addresses and connection trace back. in The 13th International Conference on Parallel and Distributed Systems, ICPADS., 4447717, Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS, vol. 1, 13th International Conference on Parallel and Distributed Systems, ICPADS, Hsinchu, Taiwan, Province of China, 07/12/5. https://doi.org/10.1109/ICPADS.2007.4447717

@inproceedings{bb0dee211e8449ae8bd452f63214fbd6,

title = "Early containment of worms using dummy addresses and connection trace back",

abstract = "Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.",

author = "Taro Inaba and Nobutaka Kawaguchi and Shinya Tahara and Hiroshi Shigeno and Okada, {Ken Ichi}",

year = "2007",

month = dec,

day = "1",

doi = "10.1109/ICPADS.2007.4447717",

language = "English",

isbn = "9781424418909",

series = "Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS",

booktitle = "The 13th International Conference on Parallel and Distributed Systems, ICPADS",

note = "13th International Conference on Parallel and Distributed Systems, ICPADS ; Conference date: 05-12-2007 Through 07-12-2007",

}

TY - GEN

T1 - Early containment of worms using dummy addresses and connection trace back

AU - Inaba, Taro

AU - Kawaguchi, Nobutaka

AU - Tahara, Shinya

AU - Shigeno, Hiroshi

AU - Okada, Ken Ichi

PY - 2007/12/1

Y1 - 2007/12/1

N2 - Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.

AB - Most of existing network worms have used address scanning to find vulnerable hosts. Recently, however, worms with more effective propagation strategies have emerged. Among the worms, we focus on the worms that exploit address lists obtained from infected hosts to find other vulnerable hosts effectively. In this paper, we propose a method to detect and contain such worms that try to infect all hosts in an enterprise network. In our method, a detection system inserts some dummy addresses into the address lists of hosts in the network. Then, the system detects the existence of worms when a host tries to open a connection to a dummy address, and then traces back the connection logs to find potentially infected hosts and removes them from the network. Computer simulation results showed our method detected and contained worms with less than 1% infected hosts and less than 5% removed hosts.

UR - http://www.scopus.com/inward/record.url?scp=48049123693&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=48049123693&partnerID=8YFLogxK

U2 - 10.1109/ICPADS.2007.4447717

DO - 10.1109/ICPADS.2007.4447717

M3 - Conference contribution

AN - SCOPUS:48049123693

SN - 9781424418909

T3 - Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS

BT - The 13th International Conference on Parallel and Distributed Systems, ICPADS

T2 - 13th International Conference on Parallel and Distributed Systems, ICPADS

Y2 - 5 December 2007 through 7 December 2007

ER -

Early containment of worms using dummy addresses and connection trace back

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this