Shad Stafford

University of Oregon, Eugene, Oregon, United States

Are you Shad Stafford?

Claim your profile

Publications (7)0.69 Total impact

  • Source
    Shad Stafford, Jun Li
    [Show abstract] [Hide abstract]
    ABSTRACT: Many worm detectors have been proposed and are being deployed, but the literature does not clearly indicate which one is the best. New worms such as IKEE.B (also known as the iPhone worm) continue to present new challenges to worm detection, further raising the question of how effective our worm defenses are. In this paper, we identify six behavior-based worm detection algorithms as being potentially capable of detecting worms such as IKEE.B, and then measure their performance across a variety of environments and worm scanning behaviors, using common parameters and metrics. We show that the underlying network trace used to evaluate worm detectors significantly impacts their measured performance. An environment containing substantial gaming and file sharing traffic can cause the detectors to perform poorly. No single detector stands out as suitable for all situations. For instance, connection failure monitoring is the most effective algorithm in many environments, but it fails badly at detecting topologically aware worms.
    Recent Advances in Intrusion Detection, 13th International Symposium, RAID 2010, Ottawa, Ontario, Canada, September 15-17, 2010. Proceedings; 01/2010
  • Source
    Shad Stafford, Jun Li, Toby Ehrenkranz
    [Show abstract] [Hide abstract]
    ABSTRACT: Once a host is infected by an Internet worm, prompt action must be taken before that host does more harm to its local network and the rest of the Internet. It is therefore critical to quickly detect that a worm has infected a host. In this paper, we enhance our SWORD system to allow for the detection of infected hosts and evaluate its performance. This enhanced version of SWORD inherits the advantages of the original SWORD: it does not rely on inspecting traffic payloads to search for worm byte patterns or setting up a honeypot to lure worm traffic. Furthermore, while acting as a host-level detection system, it runs at a network's gateway and stays transparent to individual hosts. We show that our enhanced SWORD system is able to quickly and accurately detect if a host is infected by a zero-day worm. Furthermore, the detection is shown to be effective against worms of different types and speeds, including polymorphic worms
    SIMULATION: Transactions of The Society for Modeling and Simulation International 01/2007; 83:199-212. · 0.69 Impact Factor
  • Source
    Reza Rejaie, Shad Stafford
    [Show abstract] [Hide abstract]
    ABSTRACT: This paper presents a simple and scalable framework for architecting peer-to-peer overlays called Peer-to-peer Receiver-driven Overlay (or PRO). PRO is designed for non-interactive streaming applications and its primary design goal is to maximize delivered bandwidth (and thus delivered quality) to peers with heterogeneous and asymmetric bandwidth. To achieve this goal, PRO adopts a receiver-driven approach where each receiver (or participating peer) (i) independently discovers other peers in the overlay through gossiping, and (ii) selfishly determines the best subset of parent peers through which to connect to the overlay to maximize its own delivered bandwidth. Participating peers form an unstructured overlay which is inherently robust to high churn rate. than structured overlay networks. Furthermore, each receiver leverages congestion controlled bandwidth from its parents as implicit signal to detect and react to long-term changes in network or overlay condition without any explicit coordination with other participating peers. Independent parent selection by individual peers dynamically converge to an efficient overlay structure.
    Network and Operating System Support for Digital Audio and Video, 14th International Workshop, NOSSDAV 2004, Cork, Ireland, June 16-18, 2004, Proceedings; 01/2004
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: This work presents our GLOWS (Gate-way Level Oregon Worm Simulator) simulator, de-signed to produce realistic worm traffic over a broad range of scenarios. GLOWS simulates the spread of a worm across the Internet and its propagation into a single domain with the goal of capturing the worm traffic that crosses the gateway point separating the monitored domain from the Internet.
  • Source
    Shad Stafford, Toby Ehrenkranz, Jun Li
  • Source
    Jun Li, Shad Stafford, Toby Ehrenkranz
    [Show abstract] [Hide abstract]
    ABSTRACT: As the launching of a worm can have disastrous effects on the Internet in just minutes, it is essential to automatically and reliably detect worms in their early st ages. In contrast to content-based approaches, in this paper we study the feasibility of a behavior-based so lution through our SWORD framework. As SWORD does not inspect the payload of traffic, it is resilient against polymorphic worms and avoids the expense of examining traffic payload. We focus on three algorithms embraced in the SWORD framework: the causal similarity identifi- cation algorithm, destination address distribution analy sis algorithm, and continuity analysis algorithm. We investigate how they may identify worm-like connections and raise an alarm by identifying essential behaviors that a worm must display. Our evaluation shows that SWORD exhibits promise in quickly, accurately, and efficiently detecting self-propagating wo rms of different speeds and scanning methods. We also point out extensions to SWORD that can detect infected hosts and classify a worm based on its behavior. Although some limitations and open issues remain, SWORD is an important step toward detecting zero-day self-propagating worms via a behavior-based approach.
  • Source
    Shad Stafford, Jun Li, Toby Ehrenkranz
    [Show abstract] [Hide abstract]
    ABSTRACT: Once a host is infected by an Internet worm, prompt action must be taken before that host does more harm to its local network and the rest of the Internet. It is therefore critical to quickly detect that a worm has infected a host. In this paper, we enhance our SWORD system to allow for the detection of infected hosts and evaluate its performance. This enhanced version of SWORD inherits the advantages of the original SWORD—it does not rely on inspecting traffic payloads to search for worm byte patterns or setting up a honeypot to lure worm traffic. Furthermore, while acting as a host-level detec-tion system, it runs at a network's gateway and stays transpar-ent to individual hosts. We show that our enhanced SWORD system is able to quickly and accurately detect if a host is infected by a zero-day worm. Furthermore, the detection is shown to be effective against worms of different types and speeds, including polymorphic worms.