Abstract
Since early responses are crucial to reduce the damage from unknown Internet attacks, our first consideration while developing a defense mechanism can be on time efficiency and observing (and predicting) the change of network statuses, even at the sacrifice of accuracy. In the recent security field, it is an earnest desire that a new mechanism to predict unknown future Internet attacks needs to be developed. This motivates us to study forecasting toward future Internet atacks, which is referred to as CWF (Cyber Weather Forecasting). In this paper, in order to show that the principle of CWF can be realized in the real-world, we propose a forecasting mechanism called FORE (FOrecasting using REgression analysis) through the real-time analysis of the randomness in the network traffic. FORE responds against unknown worms 1.8 times faster than the early detection mechanism, named ADUR (Anomaly Detection Using Randomness check), that can detect the worm when only one percent of total number of vulnerable hosts are infected. Furthermore, FORE can give us timely information about the process of the change of the current network situation. Evaluation results demonstrate the prediction efficiency of the proposed mechanism, including the ability to predict worm behaviors starting from 0.03 percent infection. To our best knowledge, this is the first study to achieve the prediction of future Internet attacks.
This work was partially supported by Seoul City R&BD program WR080951 and the National Research Foundation of Korea (NRF) grant funded by the Korean government (MEST) (2009-0086140).
Chapter PDF
Similar content being viewed by others
References
Berk, V.H., Gray, R.S., Bakos, G.: Flowscan: Using sensor networks and data fusion for early detection of active worms. In: SPIE AeroSense, vol. 5071, pp. 92–104 (2003)
Chen, Z., Gao, L., Kwiat, K.: Modeling the spread of active worms. In: IEEE INFOCOM (2003)
InvestorWords.com: What is forecast? definition and meaning, http://www.investorwords.com/2038/forecast.html
Jung, J., Paxon, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: IEEE Symp. on Security and Privacy, pp. 211–225 (2004)
Leckie, C., Kotagiri, R.: A probabilistic approach to detecting network scans. In: IEEE Network Operations and Management Symposium (NOMS) (April 2002)
Marsaglia, G.: Diehard: a battery of tests of randomness, http://stat.fsu.edu/~geo/diehard.html
Marsaglia, G., Tsay, L.H.: Matrices and the structure of random number sequences. Linear Algebra and Its Applications 67, 147–156 (1985)
Nazario, J., Ptacek, T., Song, D.: Wormability: A description for vulnerabilities. Arbor Networks (October 2004)
Park, H., KIM, H., Lee, H.: Is early warning of an imminent worm epidemic possible? IEEE Network 23(5), 14–20 (2009)
Park, H., Lee, H., Kim, H.: Detecting unknown worms using randomness check. IEICE Trans. on Communications E90-B(4), 894–903 (2007)
Park, H., Li, P., Gao, D., Lee, H., Deng, R.H.: Distinguishing between FE and DDoS Using Randomness Check. In: Wu, T.-C., Lei, C.-L., Rijmen, V., Lee, D.-T. (eds.) ISC 2008. LNCS, vol. 5222, pp. 131–145. Springer, Heidelberg (2008)
Sanguanpong, S., Kanlayasiri, U.: Worm damage minimization in enterprise networks. Int’l Journal of Human–Computer Studies 65(1), 3–16 (2007)
Staniford, S., Paxson, V., Weaver, N.: How to own the internet in your spare time. In: USENIX Security Symposium, pp. 149–169 (August 2002)
Tong, X., Wang, Z.: A novel anomaly detection algorithm and prewarning technology of unknown worms. Communications in Computer and Information Science 163, 164–171 (2011)
Whyte, D., Kranakis, E., van Oorschot, P.: DNS-based detection of scanning worms in an enterprise network. In: Network and Distributed System Security Symposium, NDSS (2004)
Whyte, D., van Oorschot, P., Kranakis, E.: ARP-based detection of scanning worms within an enterprise network. In: Annual Computer Security Applications Conference (ACSAC), pp. 5–9 (2005)
Wu, J., Vangala, S., Gao, L., Kwiat, K.: An effient architecture and algorithm for detecting worms with various scan techniques. NDSS (February 2004)
Zou, C.C., Gong, W., Towsley, D., Gao, L.: The monitoring and early detection of internet worms. IEEE/ACM Transaction on Networking 13(5), 961–974 (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Park, H., Jung, SO.D., Lee, H., In, H.P. (2012). Cyber Weather Forecasting: Forecasting Unknown Internet Worms Using Randomness Analysis. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_31
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)