@inproceedings{2a6c48a10ac04627bcf68a1186920b72,
title = "Toward a framework for forensic analysis of scanning worms",
abstract = "Scanning worms have been around for a while and have had some damaging effects on the Internet. Because of their fast spread and their random selection of their target victims, building a global knowledge about which infected end-systems caused the infection of which susceptible end-systems seems fairly hard. In this paper, we propose to find the originator(s) (i.e., first infected end-system(s)) that spread the worm. The broader view is to build the complete infection tree(s) rooted at the originator(s) and which leaves consist of susceptible machines becoming infected. Besides, scanning worms could unintentionally divulge some information about the machines they infect. We will show how such information could be extracted from the scans of a victim end-system. We studied two different worms, the SQL Slammer/Sapphire worm and the Witty worm, and demonstrated the possibility of building the infection tree and gathering information about the infected end-systems.",
author = "Ihab Hamadeh and George Kesidis",
year = "2006",
doi = "10.1007/11766155_20",
language = "English (US)",
isbn = "3540346406",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "282--297",
booktitle = "Emerging Trends in Information and Communication Security - International Conference, ETRICS 2006, Proceedings",
address = "Germany",
note = "International Conference on Emerging Trends in Information and Communication Security, ETRICS 2006 ; Conference date: 06-06-2006 Through 09-06-2006",
}