NETSEC

Internet Worm Detection Research, funded by an NSF CAREER grant and a grant from Intel

Internet worms have resulted in considerable disruption of our communications infrastructure. The combined cost of the Code Red and Sapphire/Slammer worms has been estimated at over three billion dollars, and these and other worms prevented the normal operation of the Internet and other networks. Unless the risk of widespread disruption from such worms can be mitigated, neither the Internet nor other networks which interact with it can safely be relied upon for applications which require high network availability.

Our primary focus is on limiting the possible damage from as-yet-unknown "0-day" worms. We have designed a behavior-based worm detection system, SWORD (Self-propagating Worm Observation and Rapid Detection). It focuses on major and essential aspects of worm connections that cross the gateway of an administrative domain.

In order to facilitate the testing of our detector, we have implemented a worm simulator, GLOWS (Gateway-Level Oregon Worm Simulator), capable of simulating a broad range of worm types and parameters. We combine the output of this simulator with real traffic recorded at gateway points at various public Universities to synthesize a realistic network trace with known worm traffic. This trace allows us to run repeatable experiments with known worm contents to evaluate our detection algorithms. Additionally, we are evaluating SWORD in a live environment on the deter testbed.

Documents:

• Jun Li, Shad Stafford, and Toby Ehrenkranz, "SWORD: Self-propagating worm observation and rapid detection," Tech. Rep. CIS-TR-2006-03, University of Oregon, 2006.
• Shad Stafford, Jun Li, and Toby Ehrenkranz, "Enhancing SWORD to detect 0-day-worm-infected hosts," SIMULATION: Transactions of the Society for Modeling and Simulation International, vol. 83, no. 2, pp. 199-212, February 2007.
• Shad Stafford, Jun Li, and Toby Ehrenkranz, "On the performance of SWORD in detecting zero-day-worm-infected hosts," in Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Calgary, Canada, July 2006, vol. 38, pp. 559-566.
• Shad Stafford, Jun Li, Toby Ehrenkranz, and Paul Knickerbocker, "GLOWS: A high-fidelity worm simulator," Tech. Rep. CIS-TR-2006-11, University of Oregon, 2006.
• Jun Li and Paul Knickerbocker, "Functional similarities between computer worms and biological pathogens," Computers & Security, vol. 26, no. 4, pp. 338-347, June 2007.
• Daniel A. Ray, Charles B. Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong, and Jun Li, "Investigating the impact of real-world factors on Internet worm propagation," in International Conference on Information Systems Security, December 2007, 16 pages (To appear). Highest rank.
• Matthew Roughan, Jun Li, Randy Bush, Zhuoqing Mao, and Timothy Griffin, "Is BGP update storm a sign of trouble: Observing the Internet control and data planes during Internet worms," in Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Calgary, Canada, July 2006, vol. 38, pp. 535-542.
• Jun Li, Toby Ehrenkranz, Geoff Kuenning, and Peter Reiher, "Simulation and analysis on the resiliency and efficiency of malnets," in Symposium on Measurement, Modeling, and Simulation of Malware, Monterey, CA, June 2005, pp. 262-269.
• Peter L. Reiher, Jun Li, and G. Kuenning, "Midgard worms: Sudden nasty surprises from a large resilient zombie army," Tech. Rep. UCLA-CSD-040019, UCLA Computer Science Department, April 2004.
• Jun Li, "CAREER: A behavior-based framework for detecting Internet worms," in National Science Foundation Cyber Trust Principal Investigators Meeting, January 29 2007, poster.
• Shad Stafford, Toby Ehrenkranz, and Jun Li, "Detecting zero-day self-propagating Internet worms based on their fundamental behavior," in USENIX Security Symposium, August 2006, poster. (The proposal of the poster is here).
• Xiaoyan Hong, Jun Li, Daniel A. Ray, and Charles B. Ward, "Investigating the impact of real-world factors on Internet worm propagation," in International Conference on Network Security (ICNS), Reston, Virginia, April 2006, presentation.
• Eric Anderson and Jun Li, "Aggregating detectors for new worm identification," in USENIX'04 Annual Technical Conference, Boston, MA, June 2004, work-in-progress.