Detecting stealthy spreaders using online outdegree histograms

Yan Gao; Yao Zhao; Robert Schweller; Shobha Venkataraman; Yan Chen; Dawn Song; Ming-Yang Kao

doi:10.1109/IWQOS.2007.376561

Detecting stealthy spreaders using online outdegree histograms

Yan Gao^*, Yao Zhao, Robert Schweller, Shobha Venkataraman, Yan Chen, Dawn Song, Ming-Yang Kao

^*Corresponding author for this work

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

13 Scopus citations

Abstract

We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques will fail to detect spreaders such as bot scans in which each scanning host will scan only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

Original language	English (US)
Title of host publication	2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007
Pages	145-153
Number of pages	9
DOIs	https://doi.org/10.1109/IWQOS.2007.376561
State	Published - 2007
Event	2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007 - Evanston, IL, United States Duration: Jun 21 2007 → Jun 22 2007

Publication series

Name	IEEE International Workshop on Quality of Service, IWQoS
ISSN (Print)	1548-615X

Other

Other	2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007
Country/Territory	United States
City	Evanston, IL
Period	6/21/07 → 6/22/07

ASJC Scopus subject areas

Electrical and Electronic Engineering

Access to Document

10.1109/IWQOS.2007.376561

Cite this

@inproceedings{e031e9d8b66146e983a577d270598ff9,

title = "Detecting stealthy spreaders using online outdegree histograms",

abstract = "We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques will fail to detect spreaders such as bot scans in which each scanning host will scan only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.",

author = "Yan Gao and Yao Zhao and Robert Schweller and Shobha Venkataraman and Yan Chen and Dawn Song and Ming-Yang Kao",

year = "2007",

doi = "10.1109/IWQOS.2007.376561",

language = "English (US)",

isbn = "1424411858",

series = "IEEE International Workshop on Quality of Service, IWQoS",

pages = "145--153",

booktitle = "2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007",

note = "2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007 ; Conference date: 21-06-2007 Through 22-06-2007",

}

Gao, Y, Zhao, Y, Schweller, R, Venkataraman, S, Chen, Y, Song, D & Kao, M-Y 2007, Detecting stealthy spreaders using online outdegree histograms. in 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007., 4262465, IEEE International Workshop on Quality of Service, IWQoS, pp. 145-153, 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007, Evanston, IL, United States, 6/21/07. https://doi.org/10.1109/IWQOS.2007.376561

TY - GEN

T1 - Detecting stealthy spreaders using online outdegree histograms

AU - Gao, Yan

AU - Zhao, Yao

AU - Schweller, Robert

AU - Venkataraman, Shobha

AU - Chen, Yan

AU - Song, Dawn

AU - Kao, Ming-Yang

PY - 2007

Y1 - 2007

N2 - We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques will fail to detect spreaders such as bot scans in which each scanning host will scan only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

AB - We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques will fail to detect spreaders such as bot scans in which each scanning host will scan only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

UR - http://www.scopus.com/inward/record.url?scp=34748852399&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=34748852399&partnerID=8YFLogxK

U2 - 10.1109/IWQOS.2007.376561

DO - 10.1109/IWQOS.2007.376561

M3 - Conference contribution

AN - SCOPUS:34748852399

SN - 1424411858

SN - 9781424411856

T3 - IEEE International Workshop on Quality of Service, IWQoS

SP - 145

EP - 153

BT - 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007

T2 - 2007 Fifteenth IEEE International Workshop on Quality of Service, IWQoS 2007

Y2 - 21 June 2007 through 22 June 2007

ER -

Detecting stealthy spreaders using online outdegree histograms

Abstract

Publication series

Other

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this