12:45PM, Thursday, October 27th 2005.
Gates 104

Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event

Vern Paxson
International Computer Science Institute

joint work with Abhishek Kumar (Georgia Tech.) and Nicholas Weaver (ICSI)

About the talk:
Network "telescopes" that record packets sent to unused blocks of Internet address space have emerged as important tools for observing Internet-scale events such as the spreading of worms, probing of botnets, and backscatter from distant flooding attacks.  Current telescope analyses produce detailed tabulations of packet rates, victim population, and evolution over time.  While such cataloging is a crucial first step in studying the telescope observations, incorporating an understanding of the underlying processes generating the observations allows us to construct detailed information about the broader "universe" in which the Internet-scale activity occurs, greatly enriching and deepening the analysis in the process.
In this talk I will discuss an application of such an analysis to the propagation of "Witty", a malicious and well-engineered worm that when released in March 2004 infected more than 12,000 hosts worldwide in 75 minutes.  We find that by exploiting the worm's underlying structure, from limited and imperfect telescope data we can, with high fidelity, draw a remarkable range of inferences.
This research was conducted in the context of the NSF-sponsored Collaborative Center for Internet Epidemiology and Defenses, a 5-year joint effort between ICSI and UC San Diego.

About the speaker:
Vern Paxson is a senior scientist at the International Computer Science Institute (ICSI) in Berkeley, California, as well as a staff scientist with the Lawrence Berkeley National Laboratory.  His main active research projects are network intrusion detection in the context of Bro, a high-performance network intrusion detection system he developed; large-scale network measurement and analysis; and Internet-scale attacks, particularly rapidly-propagating network "worms".  This latter is pursued in the context of CCIED, the NSF-sponsored Collaborative Center for Internet Epidemiology and Defenses, which he codirects with Prof. Stefan Savage of UCSD.  Some of  his other professional activities include: vice-chair of ACM SIGCOMM, program co-chair for the 2005 and 2006 IEEE Symposium on Security & Privacy, and co-founder of the ACM Internet Measurement Conference.