NETSEC

Internet Worm Detection Research, funded by an NSF CAREER grant and a grant from Intel

Internet worms have resulted in considerable disruption of our communications infrastructure. The combined cost of the Code Red and Sapphire/Slammer worms has been estimated at over three billion dollars, and these and other worms prevented the normal operation of the Internet and other networks.

Our primary focus is on limiting the possible damage from as-yet-unknown "0-day" worms. We have designed a behavior-based worm detection system, SWORD (Self-propagating Worm Observation and Rapid Detection). It focuses on major and essential aspects of worm connections that cross the gateway of an administrative domain.

In order to facilitate the testing of our detector, we have implemented a worm simulator, GLOWS (Gateway-Level Oregon Worm Simulator), capable of simulating a broad range of worm types and parameters.

Our publications and relevant documents include the following:

• Shad Stafford and Jun Li, "Behavior-based worm detectors compared," in 13th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2010, p. 20 pages, Accepted.
• Jun Li, Shad Stafford, and Toby Ehrenkranz, "SWORD: Self-propagating worm observation and rapid detection," Tech. Rep. CIS-TR-2006-03, University of Oregon, 2006.
• Shad Stafford, Jun Li, and Toby Ehrenkranz, "Enhancing SWORD to detect 0-day-worm-infected hosts," SIMULATION: Transactions of the Society for Modeling and Simulation International, vol. 83, no. 2, pp. 199-212, February 2007.
• Shad Stafford, Jun Li, and Toby Ehrenkranz, "On the performance of SWORD in detecting zero-day-worm-infected hosts," in Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Calgary, Canada, July 2006, vol. 38, pp. 559-566.
• Shad Stafford, Jun Li, Toby Ehrenkranz, and Paul Knickerbocker, "GLOWS: A high-fidelity worm simulator," Tech. Rep. CIS-TR-2006-11, University of Oregon, 2006.
• Daniel A. Ray, Charles B. Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong, and Jun Li, "Investigating the impact of real-world factors on Internet worm propagation," in International Conference on Information Systems Security, December 2007, pp. 10-24. (Highest rank among all submissions.)
• Jun Li and Paul Knickerbocker, "Functional similarities between computer worms and biological pathogens," Computers & Security, vol. 26, no. 4, pp. 338-347, June 2007.
• Matthew Roughan, Jun Li, Randy Bush, Zhuoqing Mao, and Timothy Griffin, "Is BGP update storm a sign of trouble: Observing the Internet control and data planes during Internet worms," in Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Calgary, Canada, July 2006, vol. 38, pp. 535-542.
• Jun Li, Toby Ehrenkranz, Geoff Kuenning, and Peter Reiher, "Simulation and analysis on the resiliency and efficiency of malnets," in Symposium on Measurement, Modeling, and Simulation of Malware, Monterey, CA, June 2005, pp. 262-269.
• Peter L. Reiher, Jun Li, and G. Kuenning, "Midgard worms: Sudden nasty surprises from a large resilient zombie army," Tech. Rep. UCLA-CSD-040019, UCLA Computer Science Department, April 2004.
• Jun Li, "CAREER: A behavior-based framework for detecting Internet worms," in National Science Foundation Cyber Trust Principal Investigators Meeting, January 29, 2007, poster.
• Shad Stafford, Toby Ehrenkranz, and Jun Li, "Detecting zero-day self-propagating Internet worms based on their fundamental behavior," in USENIX Security Symposium, August 2006, poster. (The proposal of the poster is here).
• Eric Anderson and Jun Li, "Aggregating detectors for new worm identification," in USENIX'04 Annual Technical Conference, Boston, MA, June 2004, work-in-progress.