Sara Asgari

Sara Asgari, Babak Sadeghiyan

Worm origin identification and propagation path reconstruction are essential problems in digital forensics. However, a small number of studies have specifically investigated these problems so far. In this paper, we extend a distributed trace-back algorithm, called Origins, which is only able to identify the origins of fast-spreading worms. We make some modifications to this algorithm so that in addition to identifying the worm origins, it can also reconstruct the propagation path. We also evaluate our extended algorithm. The results show that our algorithm can reconstruct the propagation path of worms with high recall and precision, on average around 0.96. Also, the algorithm identifies the origins correctly in all of our experiments.

Sara Asgari, Babak Sadeghiyan

Worm origin identification and propagation path reconstruction are among the essential problems in digital forensics. Until now, several methods have been proposed for this purpose. However, evaluating these methods is a big challenge because there are no suitable datasets containing both normal background traffic and worm traffic to evaluate these methods. In this paper, we investigate different methods of generating such datasets and suggest a technique for this purpose. ReaSE is a tool for the creation of realistic simulation environments. However, it needs some modifications to be suitable for generating the datasets. So we make required modifications to it. Then, we generate several datasets for Slammer, Code Red I, Code Red II and modified versions of these worms in different scenarios using our technique and make them publicly available.