TL;DR
This paper presents a novel technique and tool modifications for generating realistic benchmark datasets containing both normal and worm traffic, facilitating the evaluation of digital forensics methods for worm origin identification.
Contribution
It introduces a new dataset generation method and modifies the ReaSE tool to create realistic worm traffic datasets for multiple worms, which are made publicly available.
Findings
Generated datasets for Slammer, Code Red I, and II worms in various scenarios.
Modified ReaSE tool for realistic simulation environment creation.
Datasets are publicly accessible for research use.
Abstract
Worm origin identification and propagation path reconstruction are among the essential problems in digital forensics. Until now, several methods have been proposed for this purpose. However, evaluating these methods is a big challenge because there are no suitable datasets containing both normal background traffic and worm traffic to evaluate these methods. In this paper, we investigate different methods of generating such datasets and suggest a technique for this purpose. ReaSE is a tool for the creation of realistic simulation environments. However, it needs some modifications to be suitable for generating the datasets. So we make required modifications to it. Then, we generate several datasets for Slammer, Code Red I, Code Red II and modified versions of these worms in different scenarios using our technique and make them publicly available.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
