Publications (2)0 Total impact
ABSTRACT: The increasing availability of network testbeds and the benefits of visualization-based security study call for the emergence of supporting tools for network security research. In this article we present ESVT, an integrated experiment specification and visualization toolkit that supports network experimenters to conduct interactive experiments on network testbeds such as DETER and Emulab. The ESVT package includes a topology builder including experiment specification, a TCL script generator, and various visualization tools. The unique feature of ESVT visualization is the combination of topology-based network animation for global awareness and detailed data analysis support through a complete set of data conversion, data selection, and graphical analytical tools.
ABSTRACT: A worm-infected host scanning globally may not cause any new infection in its underlying local network before it is detected and quarantined by a worm detector. To defend this type of scanning hosts, a number of worm scanner detection methods such as failed scan detection, honeypot, and dark port detection are proposed. However, for a stealthier worm limiting its scan inside an enterprise network, the chance of a successful local outbreak increases substantively due to the more limited scan space.To protect a local or enterprise network against a local outbreak, we need a coordinated and cost-conscious defense that entails an accurate estimate of worm virulence level. Unfortunately, many existing defense methods suffer from estimating the worm virulence level in a local or enterprise network. In this regard, we propose a maximum likelihood estimator to progressively estimate the size of susceptible host population in the local or enterprise network. From analysis and experimental evaluation, it is shown that the proposed estimator can report a reliable estimate of the size of susceptible population only after a few infections, sometimes only four, much faster than a similar method based on a Kalman filter. Also, based on maximum likelihood estimate, an appropriate containment threshold can be set to effectively stop the worm propagation while causing minimum service disruption to normal network users.
Computers & Security.