The Worminator project, part of the Intrusion Detection System group at Columbia University, aims to support collaborative intrusion detection, whereby IDS sensors can exchange alerts to glean information about common sources and vectors of attack. By doing so, we can accomplish two significant goals:
- Fast detection of worms. By sharing information between sites, worm behavior, and optionally payload information, can be exchanged in near real-time, enabling aggressive defense strategies to a worm spread.
- Detection of stealthy scans. Most IDS sensors are good at picking up frequent scan behavior, but "slow and low" scans often fly under the radar. Some IDSes' sensitivity can be tuned to pick up such scan behavior, but at the cost of generating significant numbers of false positives. By correlating alerts between sites, common sources of such scans can be detected with little noise.
Worminator is not itself an IDS sensor, but instead is an alert exchange framework that works in conjunction with other IDS sensors. It currently uses the Counterstorm NIDS sensor, and work is ongoing to integrate our PAYL sensor as well.
Worminator is currently in early deployment stages. If you have an account, or for further information, please visit the Worminator website.
Papers and Posters
- J. Parekh. "Worminator: Collaborative Intrusion Detection." Poster presentation at International Symposium on Recent Advances in Intrusion Detection, September 9, 2005.
- M. Locasto, J. Parekh, A. Keromytis, S. Stolfo. "Towards Collaborative Security and P2P Intrusion Detection." In Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, June 2005.
- M. Locasto, J. Parekh, S. Stolfo, A. Keromytis, T. Malkin, V. Misra. "Collaborative Distributed Intrusion Detection." CU Tech Report CUCS-012-04, 2004.
- CUCS D-NAD Group. "On the Feasibility of Distributed Intrusion Detection." Technical report, Sept. 2004.
Other related publications and talks can be found on the website.
Sponsors: