Toward a framework for forensic analysis of scanning worms

Ihab Hamadeh, George Kesidis

Research output: Chapter in Book/Report/Conference proceedingConference contribution

1 Citation (Scopus)

Abstract

Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.

Original languageEnglish (US)
Title of host publicationEmerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings
PublisherSpringer Verlag
Pages282-297
Number of pages16
ISBN (Print)3540346406, 9783540346401
DOIs
StatePublished - Jan 1 2006
EventInternational Conference on Emerging Trends in Information and Communication Security, ETRICS 2006 - Freiburg, Germany
Duration: Jun 6 2006Jun 9 2006

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume3995 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

OtherInternational Conference on Emerging Trends in Information and Communication Security, ETRICS 2006
CountryGermany
CityFreiburg
Period6/6/066/9/06

Fingerprint

Worm
Scanning
Sapphire
Infection
Internet
Framework
Target

All Science Journal Classification (ASJC) codes

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Hamadeh, I., & Kesidis, G. (2006). Toward a framework for forensic analysis of scanning worms. In Emerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings (pp. 282-297). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3995 LNCS). Springer Verlag. https://doi.org/10.1007/11766155_20
Hamadeh, Ihab ; Kesidis, George. / Toward a framework for forensic analysis of scanning worms. Emerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings. Springer Verlag, 2006. pp. 282-297 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{2a6c48a10ac04627bcf68a1186920b72,
title = "Toward a framework for forensic analysis of scanning worms",
abstract = "Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.",
author = "Ihab Hamadeh and George Kesidis",
year = "2006",
month = "1",
day = "1",
doi = "10.1007/11766155_20",
language = "English (US)",
isbn = "3540346406",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "282--297",
booktitle = "Emerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings",
address = "Germany",

}

Hamadeh, I & Kesidis, G 2006, Toward a framework for forensic analysis of scanning worms. in Emerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 3995 LNCS, Springer Verlag, pp. 282-297, International Conference on Emerging Trends in Information and Communication Security, ETRICS 2006, Freiburg, Germany, 6/6/06. https://doi.org/10.1007/11766155_20

Toward a framework for forensic analysis of scanning worms. / Hamadeh, Ihab; Kesidis, George.

Emerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings. Springer Verlag, 2006. p. 282-297 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 3995 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Toward a framework for forensic analysis of scanning worms

AU - Hamadeh, Ihab

AU - Kesidis, George

PY - 2006/1/1

Y1 - 2006/1/1

N2 - Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.

AB - Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.

UR - http://www.scopus.com/inward/record.url?scp=33746586127&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=33746586127&partnerID=8YFLogxK

U2 - 10.1007/11766155_20

DO - 10.1007/11766155_20

M3 - Conference contribution

AN - SCOPUS:33746586127

SN - 3540346406

SN - 9783540346401

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 282

EP - 297

BT - Emerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings

PB - Springer Verlag

ER -

Hamadeh I, Kesidis G. Toward a framework for forensic analysis of scanning worms. In Emerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings. Springer Verlag. 2006. p. 282-297. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/11766155_20