NETSEC

Internet Worm Detection Research, funded by an NSF CAREER grant and a grant from Intel

Internet worms have resulted in considerable disruption of our communications infrastructure, and their estimated cost sometimes are several billions dollars. Recent worms such as IKEE.B (also known as the iPhone worm), StuxNet, Conficker, further present new challenges to worm detection, raising the question of how effective our worm defenses are.

Our primary focus is on limiting the possible damage from as-yet-unknown "0-day" worms. We have designed a behavior-based worm detection system, SWORD (Self-propagating Worm Observation and Rapid Detection). It focuses on major and essential aspects of worm connections that cross the gateway of an administrative domain.

We have implemented a worm detector evaluation framework that can plug in any behavior-based worm detector and test its performance. This framework includes a worm simulator, GLOWS (Gateway-Level Oregon Worm Simulator), that is capable of simulating a broad range of worm types and parameters.

Our publications and relevant documents include the following. We acknowledge for publications since 2007, they are based upon work partially supported by the National Science Foundation under Grant No. CNS-0644434. Any opinions, findings, and conclusions or recommendations expressed in them are those of the authors and do not necessarily reflect the views of the National Science Foundation.

• Jun Li and Shad Stafford, "Detecting smart, self-propagating internet worms," in 2nd IEEE Conference on Communications and Network Security 2014 (CNS), October 2014, 9 pages,
• Ghulam Memon, Jun Li, and Reza Rejaie, "Tsunami: A parasitic, indestructible botnet on Kad, Peer-to-Peer Networking and Applications, Accepted on February 2013. DOI: 10.1007/s12083-013-0202-x.
• Shad Stafford. Behavior-based Worm Detection, Ph.D. Thesis, March 2012.
• Shad Stafford and Jun Li, "Internet worm detection techniques: A survey," Tech. Rep. CIS-TR-2012-01, University of Oregon, 2012.
• Shad Stafford and Jun Li, "Behavior-based worm detectors compared," in 13th International Symposium on Recent Advances in Intrusion Detection (RAID), September 2010, 20 pages.
• Jun Li, Shad Stafford, and Toby Ehrenkranz, "SWORD: Self-propagating worm observation and rapid detection," Tech. Rep. CIS-TR-2006-03, University of Oregon, 2006.
• Shad Stafford, Jun Li, and Toby Ehrenkranz, "Enhancing SWORD to detect 0-day-worm-infected hosts," SIMULATION: Transactions of the Society for Modeling and Simulation International, vol. 83, no. 2, pp. 199-212, February 2007.
• Shad Stafford, Jun Li, and Toby Ehrenkranz, "On the performance of SWORD in detecting zero-day-worm-infected hosts," in Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Calgary, Canada, July 2006, vol. 38, pp. 559-566.
• Shad Stafford, Jun Li, Toby Ehrenkranz, and Paul Knickerbocker, "GLOWS: A high-fidelity worm simulator," Tech. Rep. CIS-TR-2006-11, University of Oregon, 2006.
• Daniel A. Ray, Charles B. Ward, Bogdan Munteanu, Jonathan Blackwell, Xiaoyan Hong, and Jun Li, "Investigating the impact of real-world factors on Internet worm propagation," in International Conference on Information Systems Security, December 2007, pp. 10-24. (Highest rank among all submissions.)
• Jun Li and Paul Knickerbocker, "Functional similarities between computer worms and biological pathogens," Computers & Security, vol. 26, no. 4, pp. 338-347, June 2007.
• Matthew Roughan, Jun Li, Randy Bush, Zhuoqing Mao, and Timothy Griffin, "Is BGP update storm a sign of trouble: Observing the Internet control and data planes during Internet worms," in Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS), Calgary, Canada, July 2006, vol. 38, pp. 535-542.
• Jun Li, Toby Ehrenkranz, Geoff Kuenning, and Peter Reiher, "Simulation and analysis on the resiliency and efficiency of malnets," in Symposium on Measurement, Modeling, and Simulation of Malware, Monterey, CA, June 2005, pp. 262-269.
• Peter L. Reiher, Jun Li, and G. Kuenning, "Midgard worms: Sudden nasty surprises from a large resilient zombie army," Tech. Rep. UCLA-CSD-040019, UCLA Computer Science Department, April 2004.
• Jun Li, "CAREER: A behavior-based framework for detecting Internet worms," in National Science Foundation Cyber Trust Principal Investigators Meeting, January 29, 2007, poster.
• Shad Stafford, Toby Ehrenkranz, and Jun Li, "Detecting zero-day self-propagating Internet worms based on their fundamental behavior," in USENIX Security Symposium, August 2006, poster. (The proposal of the poster is here).
• Eric Anderson and Jun Li, "Aggregating detectors for new worm identification," in USENIX'04 Annual Technical Conference, Boston, MA, June 2004, work-in-progress.