Internet worms have become a widespread threat to system and network
operations. In order to fight them more efficiently, it is necessary to analyze
newly discovered worms and attack patterns. This paper shows how techniques
based on Kolmogorov Complexity can help in the analysis of internet worms and
network traffic. Using compression, different species of worms can be clustered
by type. This allows us to determine whether an unknown worm binary could in
fact be a later version of an existing worm in an extremely simple, automated,
manner. This may become a useful tool in the initial analysis of malicious
binaries. Furthermore, compression can also be useful to distinguish different
types of network traffic and can thus help to detect traffic anomalies: Certain
anomalies may be detected by looking at the compressibility of a network
session alone. We furthermore show how to use compression to detect malicious
network sessions that are very similar to known intrusion attempts. This
technique could become a useful tool to detect new variations of an attack and
thus help to prevent IDS evasion. We provide two new plugins for Snort which
demonstrate both approaches.
%0 Generic
%1 citeulike:222736
%A Wehner, Stephanie
%D 2005
%K network traffic
%T Analyzing Worms and Network Traffic using Compression
%U http://arxiv.org/abs/cs/0504045
%X Internet worms have become a widespread threat to system and network
operations. In order to fight them more efficiently, it is necessary to analyze
newly discovered worms and attack patterns. This paper shows how techniques
based on Kolmogorov Complexity can help in the analysis of internet worms and
network traffic. Using compression, different species of worms can be clustered
by type. This allows us to determine whether an unknown worm binary could in
fact be a later version of an existing worm in an extremely simple, automated,
manner. This may become a useful tool in the initial analysis of malicious
binaries. Furthermore, compression can also be useful to distinguish different
types of network traffic and can thus help to detect traffic anomalies: Certain
anomalies may be detected by looking at the compressibility of a network
session alone. We furthermore show how to use compression to detect malicious
network sessions that are very similar to known intrusion attempts. This
technique could become a useful tool to detect new variations of an attack and
thus help to prevent IDS evasion. We provide two new plugins for Snort which
demonstrate both approaches.
@misc{citeulike:222736,
abstract = {Internet worms have become a widespread threat to system and network
operations. In order to fight them more efficiently, it is necessary to analyze
newly discovered worms and attack patterns. This paper shows how techniques
based on Kolmogorov Complexity can help in the analysis of internet worms and
network traffic. Using compression, different species of worms can be clustered
by type. This allows us to determine whether an unknown worm binary could in
fact be a later version of an existing worm in an extremely simple, automated,
manner. This may become a useful tool in the initial analysis of malicious
binaries. Furthermore, compression can also be useful to distinguish different
types of network traffic and can thus help to detect traffic anomalies: Certain
anomalies may be detected by looking at the compressibility of a network
session alone. We furthermore show how to use compression to detect malicious
network sessions that are very similar to known intrusion attempts. This
technique could become a useful tool to detect new variations of an attack and
thus help to prevent IDS evasion. We provide two new plugins for Snort which
demonstrate both approaches.},
added-at = {2007-08-18T13:22:24.000+0200},
author = {Wehner, Stephanie},
biburl = {https://www.bibsonomy.org/bibtex/27c4fec9bae836f37c1db62aed175a2f4/a_olympia},
citeulike-article-id = {222736},
description = {citeulike},
eprint = {cs/0504045},
interhash = {c23fd2771c616ce60fedcdb30c38052b},
intrahash = {7c4fec9bae836f37c1db62aed175a2f4},
keywords = {network traffic},
month = {April},
priority = {2},
timestamp = {2007-08-18T13:22:47.000+0200},
title = {Analyzing Worms and Network Traffic using Compression},
url = {http://arxiv.org/abs/cs/0504045},
year = 2005
}