Skip to main content
USENIX
  • Conferences
  • Students
Sign in

connect with us


  •  Twitter
  •  Facebook
  •  LinkedIn
  •  Google+
  •  YouTube

twitter

Tweets by @usenix

usenix conference policies

  • Event Code of Conduct
  • Conference Network Policy
  • Statement on Environmental Responsibility Policy

You are here

Home ยป On the Effectiveness of Distributed Worm Monitoring
Tweet

connect with us

On the Effectiveness of Distributed Worm Monitoring

Abstract: 

Distributed monitoring of unused portions of the IP address space holds the promise of providing early and accurate detection of high-profile security events, especially Internet worms. While this observation has been accepted for some time now, a systematic analysis of the requirements for building an effective distributed monitoring infrastructure is still missing. In this paper, we attempt to quantify the benefits of distributed monitoring and evaluate the practicality of this approach. To do so we developed a new worm propagation model that relaxes earlier assumptions regarding the uniformity of the underlying vulnerable population. This model allows us to evaluate how the size of the monitored address space, as well the number and locations of monitors, impact worm detection time. We empirically evaluate the effect of these parameters using traffic traces from over 1.5 billion suspicious connection attempts observed by more than 1600 intrusion detection systems dispersed across the Internet.

Our results show that distributed monitors with half the allocated space of a centralized monitor can detect non-uniform scanning worms in half the time. Moreover, a distributed monitor of the same size as a centralized monitor can detect the worm four times faster. Furthermore, we show that even partial knowledge of the vulnerable population density can be used to improve monitor placement. Exploiting information about the location of the vulnerable population leads, in some cases, to detection time that is seven times as fast compared to random monitor deployment.

Moheeb Abu Rajab, Johns Hopkins University

Fabian Monrose, Johns Hopkins University

Andreas Terzis, Johns Hopkins University

BibTeX
@inproceedings {269247,
author = {Moheeb Abu Rajab and Fabian Monrose and Andreas Terzis},
title = {On the Effectiveness of Distributed Worm Monitoring},
booktitle = {14th USENIX Security Symposium (USENIX Security 05)},
year = {2005},
address = {Baltimore, MD},
url = {https://www.usenix.org/conference/14th-usenix-security-symposium/effectiveness-distributed-worm-monitoring},
publisher = {USENIX Association},
month = jul,
}
Download

Links

Paper: 
http://usenix.org/publications/library/proceedings/sec05/tech/full_papers/rajab/rajab.pdf
Paper (HTML): 
http://usenix.org/publications/library/proceedings/sec05/tech/full_papers/rajab/rajab_html/index.html
  • Log in or    Register to post comments

© USENIX

  • Privacy Policy
  • Contact Us