Notes

References

[1] Dave Aitel, Nematodes bene cial worms, September 2005.

[2] L. Andersson and L. Zhang, Report from the iab workshop on unwanted trac
march 9-10, 2006 draft-iab-iwout-report-00.txt, Tech. report, Network Working
Group, Internet-Draft IETF, March 2006.

[3] Michael Bailey, Evan Cooke, Timothy Battles, and Danny McPherson, Tracking
global threats with the internet motion sensor, NANOG 32,, Sept 7 2004.

[4] Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson,
The internet motion sensor: A distributed blackhole monitoring system, Proc.
of network and distributed system security symposium (ndss'05), Electrical En-
gineering and Computer Science Department University of Michigan and Arbor
Networks, February 2005.

[5] Michael Bailey, Evan Cooke, Farnam Jahanian, Niels Provos, Karl Rosaen, and
David Watson, Data reduction for the scalable automated analysis of distributed
darknet trac, USENIX Association Internet Measurement Conference, 2005.

[6] Michael Bailey, Evan Cooke, David Watson, Farnam Jahanian, and Jose Nazario,
The blaster worm: Then and now, IEEE Security and Privacy Magazine, vol.
Volume: 3, July-Aug 2005, pp. pages: 26{31.

[7] George Bakos, Sqlsnake code analysis, 2002.

[8] AT&T Labs Research Bellovin, Icmp traceback messages, Network Working
Group, Internet Draft, March 2000.

[9] Steven M. Bellovin, There be dragons, in Proceedings of the Third Usenix UNIX
Security Symposium, 1992, pp. pp. 1{16.

[10] Steven M Bellovin, Packets found on an internet, Computer Communications
Review, vol. 23:3, July 1993, pp. pp. 26{31.

[11] Chen Bo, Bin Xing Fang, and Xiao Chun Yun, Adaptive method for monitoring
network and early detection of internet worms, Lecture Notes in Computer Science,
vol. Volume 3975/2006, ch. Surveillance and Emergency Response, pp. 178{189,
Springer Berlin / Heidelberg, Wednesday, May 10, 2006.
97

[12] Y. Bouzida, F. Cuppens, and S. Gombault, Detecting and reacting against dis-
tributed denial of service attacks, Communications, 2006 IEEE International Con-
ference on, vol. 5, June 2006, pp. 2394{2400.

[13] Cla y K C, Internet trac characterization, Ph.D. thesis, UC San Diego, 1994.

[14] Martin Casado, Tal Gar nkel, Weidong Cu, Vern Paxson, and Stefan Savage,
Opportunistic measurement: Extracting insight from spurious trac, Tech. report,
4th Workshop on Hot Topics in Networks (HOTNETS-IV)., November 2005.

[15] Shigang Chen and S. Ranka, Detecting internet worms at early stage, Selected
Areas in Communications, IEEE Journal on 23 (2005), no. 10, 2003{2012.

[16] Zesheng Chen, Worm propagation models, Mathematics Awareness Month (2006).

[17] Zesheng Chen, Lixin Gao, and Kevin Kwiat, Modeling the spread of active worms,
in INFOCOM, Apr. 2003.

[18] Zesheng Chen and Chuanyi Ji, Optimal worm-scanning method using vulnerable-
host distributions, nternational Journal of Security and Networks: Special Issue
on Computer and Network Security vol. 2, no. 1/2 (2007), Zesheng Chen and
Chuanyi Ji International Journal of Security and Networks: Special Issue on Com-
puter and Network Security, vol. 2, no. 1/2, 2007.

[19] Evan Cooke, Michael Bailey, Farnam Jahanian, and Richard Mortier, Dark oracle:
Perspective-aware unused and unreachable address discovery, 3rd Symposium on
Networked Systems Design and Implementation (NSDI '06) (San Jose, CA), May
8-10 2006.

[20] Evan Cooke, Michael Bailey, Z. Morley Mao, David Watson, Farnam Jahanian,
and Danny McPherson, Toward understanding distributed blackhole placement,
WORM '04: Proceedings of the 2004 ACM workshop on Rapid malcode (New
York, NY, USA), ACM Press, 2004, pp. 54{64.

[21] Evan Cooke, Farnam Jahanian, and Danny McPherson, The zombie roundup:
Understanding, detecting, and disrupting botnets, Proc. of Workshop on Steps to
Reducing Unwanted Trac on the Internet (SRUTI'05), July 2005.

[22] James Cowie, Andy T Ogielski, BJ Premorey, and Yougu Yuany, Global routing
instabilities triggered by code red ii and nimda worm attacks, Tech. report, Renesys
Corporation Hanover, NH 03750, December 2001.

[23] Weidong Cuiy, Vern Paxsonz, and Nicholas C. Weaverz, Gq: Realizing a system to
catch worms in a quarter million places, Tech. report, INTERNATIONAL COM-
PUTER SCIENCE INSTITUTE, 1947 Center St. Suite 600 Berkeley, California
94704-1198, September 7 2006, University of California, Berkeley, CA Interna-
tional Computer Science Institute, Berkeley, CA.

[24] Tina Darmohray and Ross Oliver, "hot spares" for dos attacks, ;login:, Nov 2000.

[25] D Dean, M Franklin, and A Stubble eld, An algebraic approach to ip traceback,
Network and Distributed System Security Symposium Conference Proceedings:
2001, 2001.

[26] T. Diibendorfer and B. Plattner, Host behaviour based early detection of worm
outbreaks in internet backbones, Enabling Technologies: Infrastructure for Collab-
orative Enterprise, 2005. 14th IEEE International Workshops on (2005).

[27] Thomas Dubendorfe, Flow-level trac analysis of the blaster and sobig worm out-
breaks in an internet backbone, Switzerland ETH Zurich,, 2005, DIMVA 2005,
Wien, Austria.

[28] Michalis Faloutsos, Public real data repositories and measurement tools, Tech.
report, ACM Press ,ACM SIGCOMM Computer Communication Review,Volume
36 , Issue 2 (April 2006) ,Pages: 37 - 40, 2006.

[29] Werner Feibel, Encyclopedia of networking, 2nd ed., no. 0-7821-1829-1, Network
Press, 1996.

[30] Virtual Center for Network and Security Data, Predict workshop,newport beach,
ca, Sept. 27 2005.

[31] Jerome Francois, Radu State, and Olivier Festor, Tracking global wide con gura-
tion errors, Tech. report, Management of Dynamic Networks and Services Labo-
ratoire Lorrain dInformatique et de ses Applications de Lorraine Nancy, France,
2006.

[32] Mark Fullmer and Steve Romig, The osu
ow-tools package and cisco net
ow logs,
Proceedings of the 2000 USENIX LISA Conference. (New Orleans, LA), 2000,
pp. 291{303.

[33] Carl G., Kesidis G., Brooks R.R., and Suresh Rai, Denial-of-service attack-
detection techniques, Internet Computing, IEEE 10 (2006), no. 1, 82{89.

[34] Julia Grace and Claire OShea, Network telescopes.

[35] Guofei Gu, Monirul Sharif, Xinzhou Qin, David Dagon, Wenke Lee, and George
Riley, Worm detection, earlywarning and response based on local victim informa-
tion, ACSAC, Dec 2004.

[36] Burch H and Cheswick B, Tracing anonymous packets to their approximate source,
In Proceedings of the 2000 USENIX LISA Conference. New Orleans (LA), 2000,
pp. 319{327.

[37] Uli Harder, M.W. Johnson, J.T. Bradley, and W.J. Knottenbelt, Observing inter-
net worm and virus attacks with a small network telescope, Tech. report, Inter-
national Conference, PASM 2005, Proceedings of the 2nd Workshop on Practical
Applications of Stochastic Modelling,, July 2005,pp.113126.

[38] Warren Harrop and Grenville Armitage, Greynets: A de nition and evaluation
of sparsely populated darknets, August 22-26 2005, Centre for Advanced Internet
Architectures, Swinburne University of Technology Melbourne, Australia.

[39] Herbert W. Hethcote, The mathematics of infectious diseases, SIAM Re-
view, vol. vol. 42, 2000,, pp. pp. 599653 ,http://www.math.uiowa.edu/ heth-
cote/PDFs/2000SiamRev.pdf.

[40] Ale ya Hussain, John Heidemann, and Christos Papadopoulos, A framework for
classifying denial of service attacks, ACM Sigcomm (Karlsruhe, Germany), Aug
25-29 2003.

[41] P Ferguson Cisco Systems Inc and D Senie Amaranth Networks Inc, Network
ingress ltering: Defeating denial of service attacks which employ ip source address
spoo ng, May 2000.

[42] Chuanyi Ji and Zesheng Chen, Importance-scanning worm using vulnerable-host
distribution, Global Telecommunications Conference, 2005. GLOBECOM '05.
IEEE 3.

[43] Xuxian Jiang and Dongyan Xu, Collapsar: A vm-based architecture fornetwork
attack detention center, Tech. report, August 9-13 2004.

[44] Je rey O Kephart and Steve R White, Directed-graph epidemiological models of
computer viruses,, in IEEE Symposium on Security and Privacy, 1999, p. 343361.

[45] Peter Komisarczuk, Christian Seifert, Dean Pemberton, and Ian Welch, Grid en-
abled internet instruments, Tech. report, Victoria University of Wellington, School
of Mathematics, Statistics and Computer Science, Wellington, New Zealand,
March 2007.

[46] Ramana Rao Kompella, Sumeet Singh, and George Varghese, On scalable attack
detection in the network, Tech. report, University of California, San Diego. Internet
Measurement Conference 2004, 2004.

[47] E. Kranakis, D. Whyte, and P.C. van Oorschot, Detecting intra-enterprise scan-
ning worms based on address resolution, Computer Security Applications Confer-
ence, 21st Annual (2005).

[48] Balachander Krishnamurthy, Mohonk: Mobile honeypots to trace unwanted trac
early, Tech. report, AT&T LabsResearch, 2004.

[49] Abhishek Kumar, Vern Paxson, and Nicholas Weave, Exploiting underlying struc-
ture for detailed reconstruction of an internet-scale event, ACM IMC, Oct 2005,
New Orleans, LA.

[50] Abhishek Kumar, Vern Paxson, and NicholasWeaver, Exploiting underlying struc-
ture for detailed reconstruction of an internet-scale event, Tech. report, Georgia
Institute of Technology, ICSI, October 19, 2005.

[51] L. Li, I. Hamadeh, S. Jiwasurat, G. Kesidis, P. Liu, and C. Neuman, Emulating
sequential scanning worms on the deter testbed, Tech. report, Pennsylvania State
University, University Park.

[52] Bailey M., Cooke E., Jahanian F., Myrick A., and Sinha S., Practical darknet
measurement, Information Sciences and Systems, 2006 40th Annual Conference
on, no. 10.1109/CISS.2006.286376, March 2006, pp. 1496 { 1501.

[53] Danny McPherson and Barry Greene, Isp security: Deploying and using sinkholes,
June 2003.

[54] D. Moore and C. Shannon, The spread of the witty worm, Security & Privacy
Magazine, IEEE Vol. 2 (2004), no. No 4.

[55] David Moore, Network telescopes: Observing small or distant security events, Co-
operative Association for Internet Data Analysis - CAIDA San Diego Supercom-
puter Center, University of California, San Diego, August 8 2002.

[56] , Network telescopes overview: What is a "network telescope"?, 2003.

[57] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford,
and Nicholas Weaver, The spread of the sapphire/slammer worm, Tech. report,
CAIDA, 2003.

[58] , Inside the slammer worm, Tech. report, IEEE Security and Privacy,
1(4):33-39, July 2003.

[59] David Moore and Colleen Shannon, Network telescopes: The
ocon les, 2004.

[60] , The spread of the code-red worm (crv2), March 30 2006.

[61] David Moore, Colleen Shannon, Douglas J. Brown, Geo rey M. Voelker, and
Stefan Savage, Inferring internet denial-of-service activity, Tech. Report 2, New
York, NY, USA, 2006.

[62] David Moore, Colleen Shannon, and Je ery Brown, Code-red: a case study on the
spread and victims of an internet worm, Tech. report, in ACM Internet Measure-
ment Workshop 2002, Marseille, France, Nov 2002.

[63] David Moore, Colleen Shannon, Geo rey M. Voelker, and Stefan Savage, Internet
quarantine: Requirements for containing self-propagating code, Proceedings of the
2003 IEEE Infocom Conference (San Francisco, CA), April 2003.

[64] David Moore, Colleen Shannon, Geo rey M. Voelkery, and Stefan Savagey, Net-
work telescopes: Technical report, Tech. report, Cooperative Association for Inter-
net Data Analysis (CAIDA), July 2004.

[65] David Moore, Geo rey M. Voelker, and Stefan Savage, Quantitative network
security analysis, Tech. Report Tel: (858) 534-5160 Fax: (858) 534-5117,
CAIDA/SDSC and CSE Department University of California, San Diego, 9500
Gilman Drive, MS 0505 La Jolla, CA 92092-0505, Dec 4 2002, dmoore@caida.org.

[66] Jose Nazario, The blaster worm: The view from 10,000 feet,
http://monkey.org/jose/presentations/blaster.d/, 2003.

[67] Spatscheck O and Peterson L, Defending against denial of service attacks in scout,
In Proceedings of the 1999 USENIX/ACM Symposium on Operating System De-
sign and Implementation, 1999, pp. 59{72.

[68] Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Pe-
terson, Characteristics of internet background radiation, IMC '04: Proceedings of
the 4th ACM SIGCOMM conference on Internet measurement (New York, NY,
USA), ACM Press, 2004, pp. 27{40.

[69] Vern Paxson, Addressing the threat of internet worms, ICSI Center for Internet
Research and Lawrence Berkeley National Laboratory, Feb 2005.

[70] Honeynet Project, Know your enemy: Honeynets, Nov 2002.

[71] Niels Provos, A virtual honeypot framework, In Proceedings of the 13th USENIX
Security Symposium (SanDiego,CA, USA), August 2004, p. pages114.

[72] Chen P.T., Laih C.S., Pougetand F., and Dacier M., Comparative survey of local
honeypot sensors to assist network forensics, Systematic Approaches to Digital
Forensic Engineering, 2005. First International Workshop on, no. 0-7695-2478-8,
IEEE, IEEE, 7-9 November 2005, pp. On page(s): 120{ 132.

[73] Moheeb Abu Rajab, Fabian Monrose, and Andreas Terzis, Worm evolution track-
ing via timing analysis, Tech. report, Johns Hopkins University The 3rd Workshop
on Rapid Malcode (WORM), 2005.

[74] , Fast and evasive attacks: Highlighting the challenges ahead, vol. Volume
4219/2006, Lecture Notes in Computer Science, no. 978-3-540-39723-6, malware
collection and analysis Malware Collection and Analysis, pp. 206{225, Springer
Berlin / Heidelberg, September 21 2006.

[75] Joel Sandin, P2p systems for worm detection,dimacs large scale attacks workshop
presentation, DIMACS Large Scale Attacks Workshop presentation, Sept 2003,.

[76] sandvine, Million dollar home page ddos, Tech. report, sandvine, 2006-01-16.

[77] Christian Seifert and Ian Welch andPeter Komisarczuk, Taxonomy of honeypots,
Tech. report, VICTORIA UNIVERSITY OF WELLINGTON TeWhareWanan-
gaoteUpokooteIkaaMaui, June 2006, TechnicalReportCS-TR-06/12.

[78] Giuseppe Serazzi and Stefano Zanero, Computer virus propagation models, Tech.
report, Dipartimento di Elettronica e Informazione, Politecnico di Milano, Via
Ponzio 34/5, 20133 Milano, Italy,, 2001.

[79] S. Shakkottai and R. Srikant, Peer to peer networks for defense against internet
worms, Tech. report, Workshop on Interdisciplinary Systems Approach in Per-
formance Evaluation and Design of Computer & Communications Systems, Oct
2006, Pisa, Italy, Oct 2006.

[80] Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage, Automated-
worm ngerprinting, Tech. report, Department of Computer Science and Engi-
neering University of California, San Diego, 2006.

[81] , The earlybird system for real-time detection of unknown worms, Tech. re-
port, University of California San Deigo, Department of Computer Science, Tech-
nical Report CS2003-0761, August 2003.

[82] Dug Song, Rob Malan, and Robert Stone, A snapshot of global internet worm
activity, November 13 2001.

[83] Stuart Staniford, Vern Paxson, and Nicholas Weaver, How to 0wn the internet
in your spare time, How to 0wn the Internet in Your Spare Time, Aug 2002,
pp. http://www.icir.org/vern/papers/cdc{usenix{sec02.

[84] Robert Stone, Centertrack: An ip overlay network for tracking dos
oods, In Pro-
ceedings of the 2000 USENIX Security Symposium, 2000istics and Prevalence,
pp. 199{212.

[85] Greg Tomsho, Ed Tittel, and David Johnson, Guide to networking essentials, ed
3rd ed., Course Technology, no. ISBN: 0619130873, Thomson, 25 Thomson Place,
Boston, Massachusetts, 02210, 2003.

[86] Jean-Pierre van Riel and Barry Irwin, Inetvis, a visual tool for network telescope
trac analysis, Tech. report, Department of Computer Science Rhodes University
Grahamstown, South Africa, 6140, 2006/01/25.

[87] Nicolas Vanderavero, Xavier Brouckaert, Olivier Bonaventure, and Baudouin Le
Charlier, The honeytank : a scalable approach to collect malicious internet traf-
c, Tech. report, Computing Science and Engineering Department, Universite
catholique de Louvain, 2004.

[88] Yegneswaran Vinod, Barford Paul, and Ullrich Johannes, Internet intrusions:
Global characteristics and prevalence, Tech. report, In Proceedings of ACM SIG-
METRICS, June, 2003.

[89] Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Sno-
eren, Geo rey M. Voelker, and Stefan Savage, Scalability, delity, and containment
in the potemkin virtual honeyfarm, SOSP '05: Proceedings of the twentieth ACM
symposium on Operating systems principles (New York, NY, USA), ACM Press,
2005, pp. 148{162.

[90] A.D. Wood and J.A. Stankovic, Denial of service in sensor networks, Computer
35 (2002), no. 10, 54{62.

[91] Jianhong Xia, Lixin Gao, and Teng Fei, Flooding attacks by exploiting persistent
forwarding loops, Proceedings of the USENIX/ACM Internet Measurement Con-
ference, October 2005.

[92] Jianhong Xia, Sarma Vangala, Jiang Wu, Lixin Gao, and Kevin Kwiat, E ective
worm detection for various scan techniques, Tech. report, Journal of Computer
Security, vol. 14, no. 4, pp. 359-387, 2006.

[93] Vinod Yegneswaran, Paul Barford, and Dave Plonka, On the design and use of in-
ternet sinks for network abuse monitoring, vol. Volume 3224/2004, Lecture Notes
in Computer Science, no. issn: 978-3-540-23123-3, attack and alert analysis Re-
cent Advances in Intrusion Detection, pp. 146{165, Springer Berlin / Heidelberg,
October 01 2004.

[94] Cli C. Zou, Don Towsley, and Weibo Gong, On the performance of internet
worm scanning strategies, Tech. report, Department of Electrical & Computer
Engineering -Department of Computer Science, Univ. Massachusetts, Amherst
Technical Report: TR-03-CSE-07, 2003.

[95] Cli Changchun Zou, Lixin Gao, Weibo Gong, and Don Towsley, Monitoring and
early warning, (2003).

[96] Cli Changchun Zou, Weibo Gong, and Don Towsley, Code red worm propagation
modeling and analysis, in Proceedings of the 9th ACM conference on Computer
and communications security, 2002, pp. 138147, ACM Press.