Toward a framework for forensic analysis of scanning worms

Ihab Hamadeh, George Kesidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Scopus citations


Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.

Original languageEnglish (US)
Title of host publicationEmerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings
PublisherSpringer Verlag
Number of pages16
ISBN (Print)3540346406, 9783540346401
StatePublished - Jan 1 2006
EventInternational Conference on Emerging Trends in Information and Communication Security, ETRICS 2006 - Freiburg, Germany
Duration: Jun 6 2006Jun 9 2006

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume3995 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


OtherInternational Conference on Emerging Trends in Information and Communication Security, ETRICS 2006

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)


Dive into the research topics of 'Toward a framework for forensic analysis of scanning worms'. Together they form a unique fingerprint.

Cite this