Authors: Andrew L. Burt, Michael Darschewski, Indrajit Ray, Ramakrishna Thurimella, Hailin Wu
Addresses: Techsoft, P.O. Box 16143, Golden, CO 80402, USA. ' University of Denver, Denver, CO 80210, USA. ' Colorado State University, Fort Collins, CO 80523, USA. ' University of Denver, Denver, CO 80210, USA. ' Array Networks, Milpitas, CA 95035, USA
Abstract: An automatic distributed mechanism is proposed to identify the propagation roots of fast spreading internet worms. The information obtained can be used to identify local worm outbreaks, identify network intrusion, identify internal network misuse, and help with the forensic trace-back after detection. It has been designed with simplicity, efficacy, and ease of deployment in mind. Two modes of operation are possible, yielding both real-time and post mortem propagation information. The proposed paradigm can work in unison with any intrusion detection, throttling and human-mediated responses. Simulation results show that even with only 20–30% deployment, worm origins can be pinpointed with great precision.
Keywords: computer worm attacks; attack trace-back; network security; internet worms; intrusion detection; simulation; worm origins.
International Journal of Security and Networks, 2008 Vol.3 No.1, pp.36 - 46
Available online: 09 Dec 2007 *Full-text access for editors Access for subscribers Purchase this article Comment on this article