Detecting Intra-enterprise Scanning Worms based on Address Resolution

A
ACSAC
2005
21st Annual Computer Security Applications Conference (ACSAC'05)
Abstract - Detecting Intra-enterprise Scanning Worms based on Address Resolution

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by David Whyte Articles by Paul C. van Oorschot Articles by Evangelos Kranakis

21st Annual Computer Security Applications Conference (ACSAC'05)

Tucson, Arizona

December 05-December 09

ISBN: 0-7695-2461-3

	ASCII Text	x
	David Whyte, Paul C. van Oorschot, Evangelos Kranakis, "Detecting Intra-enterprise Scanning Worms based on Address Resolution," Computer Security Applications Conference, Annual, pp. 371-380, 21st Annual Computer Security Applications Conference (ACSAC'05), 2005.

	BibTex	x
	@article{ 10.1109/CSAC.2005.20, author = {David Whyte and Paul C. van Oorschot and Evangelos Kranakis}, title = {Detecting Intra-enterprise Scanning Worms based on Address Resolution}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2005}, issn = {1063-9527}, pages = {371-380}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.20}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Detecting Intra-enterprise Scanning Worms based on Address Resolution SN - 1063-9527 SP371 EP380 A1 - David Whyte, A1 - Paul C. van Oorschot, A1 - Evangelos Kranakis, PY - 2005 KW - null VL - 0 JA - Computer Security Applications Conference, Annual ER -

David Whyte, Carleton University, Ottawa, Canada

Paul C. van Oorschot, Carleton University, Ottawa, Canada

Evangelos Kranakis, Carleton University, Ottawa, Canada

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.20

Signature-based schemes for detecting Internet worms often fail on zero-day worms, and their ability to rapidly react to new threats is typically limited by the requirement of some form of human involvement to formulate updated attack signatures. We propose an anomaly-based detection technique detailing a method to detect propagation of scanning worms within individual network cells, thus protecting internal networks from infection by internal clients. Our software implementation indicates that this technique is both accurate and rapid enough to enable automatic containment and suppression of worm propagation within a network cell. Our approach relies on an aggregate anomaly score, derived from the correlation of Address Resolution Protocol (ARP) activity from individual network attached devices. Our preliminary analysis and prototype indicate that this technique can be used to rapidly detect zero-day worms within a very small number of scans.

Citation:

David Whyte, Paul C. van Oorschot, Evangelos Kranakis, "Detecting Intra-enterprise Scanning Worms based on Address Resolution," acsac, pp.371-380, 21st Annual Computer Security Applications Conference (ACSAC'05), 2005

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.