Scholars@Duke

Hit-list worm detection and bot identification in large networks using protocol graphs

Publication ,  Conference
Collins, MP; Reiter, MK
Published in: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
January 1, 2007
Published version (DOI)

We present a novel method for detecting hit-list worms using protocol graphs. In a protocol graph, a vertex represents a single IP address, and an edge represents communications between those addresses using a specific protocol (e.g., HTTP). We show that the protocol graphs of four diverse and representative protocols (HTTP, FTP, SMTP, and Oracle), as constructed from monitoring for fixed durations on a large intercontinental network, exhibit stable graph sizes and largest connected component sizes. Moreover, we demonstrate that worm propagations, even of a sophisticated hit-list variety in which the attacker has advance knowledge of his targets and always connects successfully, perturb these properties. We demonstrate that these properties can be monitored very efficiently even in very large networks, giving rise to a viable and novel approach for worm detection. We also demonstrate extensions by which the attacking hosts (bots) can be identified with high accuracy. © Springer-Verlag Berlin Heidelberg 2007.

Duke Scholars

Michael Reiter
Author Michael Reiter Computer Science

Published In

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

DOI

10.1007/978-3-540-74320-0_15

EISSN

1611-3349

ISSN

0302-9743

Publication Date

January 1, 2007

Volume

4637 LNCS

Start / End Page

276 / 295

Related Subject Headings

  • Artificial Intelligence & Image Processing
  • 46 Information and computing sciences
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Collins, M. P., & Reiter, M. K. (2007). Hit-list worm detection and bot identification in large networks using protocol graphs. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 4637 LNCS, pp. 276–295). https://doi.org/10.1007/978-3-540-74320-0_15
Collins, M. P., and M. K. Reiter. “Hit-list worm detection and bot identification in large networks using protocol graphs.” In Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 4637 LNCS:276–95, 2007. https://doi.org/10.1007/978-3-540-74320-0_15.
Collins MP, Reiter MK. Hit-list worm detection and bot identification in large networks using protocol graphs. In: Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2007. p. 276–95.
Collins, M. P., and M. K. Reiter. “Hit-list worm detection and bot identification in large networks using protocol graphs.” Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4637 LNCS, 2007, pp. 276–95. Scopus, doi:10.1007/978-3-540-74320-0_15.
Collins MP, Reiter MK. Hit-list worm detection and bot identification in large networks using protocol graphs. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics). 2007. p. 276–295.

Published In

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

DOI

10.1007/978-3-540-74320-0_15

EISSN

1611-3349

ISSN

0302-9743

Publication Date

January 1, 2007

Volume

4637 LNCS

Start / End Page

276 / 295

Related Subject Headings

  • Artificial Intelligence & Image Processing
  • 46 Information and computing sciences