Detecting stealthy spreaders using online outdegree histograms

Yan Gao*, Yao Zhao, Robert Schweller, Shobha Venkataraman, Yan Chen, Dawn Song, Ming-Yang Kao

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contribution

12 Citations (Scopus)

Abstract

We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques will fail to detect spreaders such as bot scans in which each scanning host will scan only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

Original languageEnglish (US)
Title of host publication2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007
Pages145-153
Number of pages9
DOIs
StatePublished - Oct 1 2007
Event2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007 - Evanston, IL, United States
Duration: Jun 21 2007Jun 22 2007

Publication series

NameIEEE International Workshop on Quality of Service, IWQoS
ISSN (Print)1548-615X

Other

Other2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007
CountryUnited States
CityEvanston, IL
Period6/21/076/22/07

Fingerprint

Spreaders
HIgh speed networks
Internet
Scanning
Data storage equipment

ASJC Scopus subject areas

  • Electrical and Electronic Engineering

Cite this

Gao, Y., Zhao, Y., Schweller, R., Venkataraman, S., Chen, Y., Song, D., & Kao, M-Y. (2007). Detecting stealthy spreaders using online outdegree histograms. In 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007 (pp. 145-153). [4262465] (IEEE International Workshop on Quality of Service, IWQoS). https://doi.org/10.1109/IWQOS.2007.376561
Gao, Yan ; Zhao, Yao ; Schweller, Robert ; Venkataraman, Shobha ; Chen, Yan ; Song, Dawn ; Kao, Ming-Yang. / Detecting stealthy spreaders using online outdegree histograms. 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007. 2007. pp. 145-153 (IEEE International Workshop on Quality of Service, IWQoS).
@inproceedings{e031e9d8b66146e983a577d270598ff9,
title = "Detecting stealthy spreaders using online outdegree histograms",
abstract = "We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques will fail to detect spreaders such as bot scans in which each scanning host will scan only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.",
author = "Yan Gao and Yao Zhao and Robert Schweller and Shobha Venkataraman and Yan Chen and Dawn Song and Ming-Yang Kao",
year = "2007",
month = "10",
day = "1",
doi = "10.1109/IWQOS.2007.376561",
language = "English (US)",
isbn = "1424411858",
series = "IEEE International Workshop on Quality of Service, IWQoS",
pages = "145--153",
booktitle = "2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007",

}

Gao, Y, Zhao, Y, Schweller, R, Venkataraman, S, Chen, Y, Song, D & Kao, M-Y 2007, Detecting stealthy spreaders using online outdegree histograms. in 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007., 4262465, IEEE International Workshop on Quality of Service, IWQoS, pp. 145-153, 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007, Evanston, IL, United States, 6/21/07. https://doi.org/10.1109/IWQOS.2007.376561

Detecting stealthy spreaders using online outdegree histograms. / Gao, Yan; Zhao, Yao; Schweller, Robert; Venkataraman, Shobha; Chen, Yan; Song, Dawn; Kao, Ming-Yang.

2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007. 2007. p. 145-153 4262465 (IEEE International Workshop on Quality of Service, IWQoS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

TY - GEN

T1 - Detecting stealthy spreaders using online outdegree histograms

AU - Gao, Yan

AU - Zhao, Yao

AU - Schweller, Robert

AU - Venkataraman, Shobha

AU - Chen, Yan

AU - Song, Dawn

AU - Kao, Ming-Yang

PY - 2007/10/1

Y1 - 2007/10/1

N2 - We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques will fail to detect spreaders such as bot scans in which each scanning host will scan only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

AB - We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques will fail to detect spreaders such as bot scans in which each scanning host will scan only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

UR - http://www.scopus.com/inward/record.url?scp=34748852399&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34748852399&partnerID=8YFLogxK

U2 - 10.1109/IWQOS.2007.376561

DO - 10.1109/IWQOS.2007.376561

M3 - Conference contribution

AN - SCOPUS:34748852399

SN - 1424411858

SN - 9781424411856

T3 - IEEE International Workshop on Quality of Service, IWQoS

SP - 145

EP - 153

BT - 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007

ER -

Gao Y, Zhao Y, Schweller R, Venkataraman S, Chen Y, Song D et al. Detecting stealthy spreaders using online outdegree histograms. In 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007. 2007. p. 145-153. 4262465. (IEEE International Workshop on Quality of Service, IWQoS). https://doi.org/10.1109/IWQOS.2007.376561