Sciweavers

Share
NOMS
2010
IEEE

Packet sampling for worm and botnet detection in TCP connections

9 years 5 months ago
Packet sampling for worm and botnet detection in TCP connections
—Malware and botnets pose a steady and growing threat to network security. Therefore, packet analysis systems examine network traffic to detect active botnets and spreading worms. However, with the advent of multi-gigabit link speeds, capturing and analysing header and payload of every packet requires enormous amounts of computational resources and is therefore not feasible in many situations. We address this problem by presenting an efficient packet sampling algorithm that picks a small number of packets from the beginning of every TCP connection. Bloom filters are used to store the required connection state information with constant amount of memory. Our analysis of worm and botnet traffic shows that the large majority of attack signatures is actually found in these packets. Thus, our sampling algorithm can be deployed in front of a detection system to reduce the amount of inspected packets without degrading the detection results significantly.
Lothar Braun, Gerhard Münz, Georg Carle
Added 29 Jan 2011
Updated 29 Jan 2011
Type Journal
Year 2010
Where NOMS
Authors Lothar Braun, Gerhard Münz, Georg Carle
Comments (0)
books